Phishing remains one of the favorite methods of hackers to make money quickly and easily. To maximize the number of victims and by extension the revenue generated, operators generally target users of popular applications and customers of very large companies. This is why Apple, Microsoft and Facebook are favorite targets of phishing campaigns. In April 2022, hackers pretended to be Facebook to hack users’ accounts. And now, PIXM information security researchers are warning about a new massive phishing campaign on Facebook Messenger.
So, the principle of the operation is simple: the hackers have developed many phishing sites by taking over the interface of Facebook and Messenger. The goal is to encourage victims to provide their login credentials. Once the hackers had this information, two things happened: Victims are redirected to websites that host advertisements, surveys and other ways to generate revenue for the operators and stolen Facebook accounts are used to spread the campaign via Messenger.
Hackers generate millions of dollars by a massive Facebook Messenger phishing campaign
To do this, hackers use automated tools to send other phishing links to friends of compromised accounts. “A user’s account was subject of the attack and, in a likely automated way, the threat actor logged into that account and sent the link to the user’s friends via Facebook Messenger“.
And although Facebook has safeguards to prevent the delivery of malicious URLs; operators have used a trick to bypass Facebook Messenger’s security. Indeed, phishing messages using legitimate ULR generation services such as litch.me, famous.co, amaze.co or even funnel-preview.com. These URLs are in use by many legitimate applications. According to the researchers, 2.7 million users visited one of the phishing portals. This figure has increased to 8.5 million in 2022, reflecting the massive growth of the campaign.
The Colombian Police and Interpol has got the results of PIXM’s investigation; but the campaign is still ongoing, despite the fact that many of the identified URLs have gone offline.