A sophisticated new phishing campaign is targeting Facebook users by leveraging advanced social engineering tactics, including a convincing fake CAPTCHA and the “Browser-in-the-Browser” (BitB) technique, to steal login credentials.
Security researchers have identified a surge in malicious domains explicitly designed to mimic legitimate Facebook authentication workflows, putting unsuspecting users at heightened risk.
Attackers Employ Fake CAPTCHA
The attack begins with a malicious redirect that leads users to a seemingly innocuous webpage presenting a fake CAPTCHA prompt, purportedly as a security verification measure.
Unlike typical phishing attempts, this page is meticulously crafted to emulate common web security interfaces, reducing users’ suspicion and increasing conversion rates.
Upon interacting with the fake CAPTCHA, victims are presented with a convincing Facebook login popup a Browser-in-the-Browser window that replicates the look and feel of a genuine browser authentication dialog.
This Browser-in-the-Browser method is particularly dangerous due to its ability to spoof browser UI elements such as address bars, padlocks, and window frames, deceiving even tech-savvy users into believing they are interacting with Facebook’s official site.
When credentials are entered, they are harvested by the attackers in real time, granting them access to the victim’s personal account and potentially exposing associated data and sensitive communications.
What sets this campaign apart is the array of domains used to host these phishing pages, which incorporate keywords related to meta, CAPTCHA, and Facebook, further enhancing their legitimacy to unsuspecting users.
Examples include recaptcha-metahorizon[.]com, facebook[.]com (a simple letter transposition), and verify-facebook[.]com.
Such naming conventions are designed to bypass rudimentary security awareness and evade automated phishing filters.
Multiple Malicious Domains Identified
Researchers emphasize that users must remain vigilant against unsolicited login requests, especially when preceded by CAPTCHA or anti-bot verifications. S
Security teams are urged to disseminate warnings regarding this campaign and update their security appliances to block the identified domains.
The growing sophistication of Browser-in-the-Browser phishing attacks highlights the importance of browser-level anti-phishing solutions and endpoint detection tools that can distinguish legitimate browser dialogs from fraudulent popups.
Security professionals recommend that organizations implement multi-factor authentication, educate users about emerging phishing trends, and remind them to verify URLs in browser address bars before entering credentials.
If you have interacted with any of these domains or entered login information, it is imperative to change your Facebook password immediately and enable account security features. Vigilance and rising awareness remain the keys to thwarting such advanced phishing threats.
Indicators of Compromise (IoC)
| Malicious Domain | Description |
|---|---|
| recaptcha-metahorizon[.]com | Fake CAPTCHA, Meta-themed |
| norotbot-meta[.]com | Anti-bot spoof, Meta-related |
| loginpage-meta[.]com | Imitates Meta login page |
| meta-captcha[.]com | Meta-branded CAPTCHA phishing |
| facefbook[.]com | Typo-squatted Facebook domain |
| ncaptcha-meta[.]com | CAPTCHA for Meta theme |
| notrobot-metahorizon[.]com | Fake anti-bot, Meta-branded |
| clearcapcha[.]com | Misspelled CAPTCHA, generic |
| antibot-meta[.]com | Generic anti-bot, Meta-related |
| captcha-loginmeta[.]com | Combines CAPTCHA and Meta wording |
| verify-facebook[.]com | Spoofs Facebook verification |
| autobypass-meta[.]com | Anti-bot evasion theme, Meta |
| recaptcha-loginmeta[.]com | Recaptcha and Meta login phishing |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
