A sophisticated phishing campaign has been uncovered by the Cofense Phishing Defense Center, targeting Meta Business accounts through fake emails that mimic urgent notifications from Instagram.
These emails claim that the recipient’s ads have been suspended due to alleged violations of advertising laws and policies, including the EU GDPR.
The urgency of these messages is designed to prompt immediate action from the recipient, potentially leading to the compromise of their business account credentials.
Phishing Tactics and Techniques
The phishing campaign begins with an email titled “Support ID: #xxxx – Critical Advertising Restrictions on Your Account,” which appears to be from a legitimate source but actually originates from a spoofed address, such as noreply@salesforce[.]com.
Upon clicking the “Check more details” button, users are redirected to a fraudulent webpage that closely resembles a legitimate Meta Business page.
However, the URL reveals that it is not a genuine Meta domain, instead directing users to sites like businesshelp-manager[.]com.
Once on this page, users are prompted to request a review, which leads them to interact with a fake chat support agent.
According to the Report, this agent guides the user through steps that ultimately allow the threat actor to hijack the account by registering themselves as a “Secure Login” via Meta’s Authenticator App feature.
The attackers employ two primary methods to gain unauthorized access.
The first involves using a fake tech support chatbot to guide users through the process of adding the attacker as a secure login.
The second method provides a step-by-step guide that mimics a do-it-yourself approach to fixing the user’s account, further deceiving users into enabling two-factor authentication (2FA) with the attacker’s Authenticator app.
This campaign highlights the evolving sophistication of phishing tactics, which now include live agent support to enhance the illusion of legitimacy.
Implications and Recommendations
This campaign serves as a stark reminder of the evolving threats businesses face in securing their social media credentials.
The emails and landing pages are crafted with a high level of attention to detail, making them difficult to distinguish from legitimate communications.
Users are advised to remain vigilant and verify all communications before responding.
It is crucial to examine the sender’s email address and the URL in the browser’s address bar carefully before taking any action.
Prompt reporting of suspicious activity can help prevent potential damage.
As phishing tactics continue to evolve, staying alert and informed is key to protecting business accounts from such threats.
