A new phishing campaign targets Meta business accounts with emails that mimic policy or copyright infringement notices, which contain malicious links that bypass MFA and are crafted in multiple languages to target users across 19 countries.
The attackers leverage a comprehensive toolkit to create the emails, validate links, and manage other campaign tasks, and if successful, this campaign compromises Facebook business accounts, potentially leading to further attacks like fraudulent advertising.
A sophisticated phishing campaign is targeting Meta Business Accounts with emails spoofed to look like official Meta communication, which exploit concerns about policy violations or copyright infringement to trick users into revealing login credentials.
The campaign uses a powerful phishing toolkit that allows for multilingual attacks across 19 countries and bypasses secure email gateways, as researchers discovered the threat actor infrastructure, including tools for email generation, link creation, and MFA bypass.
The campaign highlights Meta as a top target for credential phishing, emphasizing the need for user awareness and strong security practices.
A phishing campaign impersonated the Facebook Ads Team and targeted business accounts, as the emails contained grammatical errors and a malicious link disguised as a button or text.
Clicking the link led to a landing page mimicking the account recovery process, where users were tricked into submitting business email, passwords, and even 2FA codes through a fake MFA bypass step, and the stolen credentials were exfiltrated, potentially to a Telegram bot.
The analysis revealed threat actor infrastructure, as the site contained Vietnamese-to-English redirects to services threat actors use, including link creation on Netlify.app, Hotmail login, and internal spreadsheets, while a locked “Profits/Costs” spreadsheet suggests financial motivation.
The site also hosted various tools, like text-to-CSV conversion and phishing email generation. The “Check Links” tool offered a list of active phishing URLs with a link health check and the “TEXT emails to countries” tool could automatically generate phishing emails based on selected criteria.
An analysis by Cofense revealed Meta as the second most impersonated brand in phishing campaigns during Q1 2024, following Microsoft, which highlights the vulnerability of users who rely on popular social media platforms, such as Facebook and Instagram, for communication.
The phishing attempts likely aim to steal login credentials by mimicking legitimate Meta communication and exploiting user trust in the brand.
