Attackers Use Legitimate Facebook Infrastructure for Credential Phishing
With nearly three billion active users across the globe, it’s no wonder that cybercriminals love to impersonate Facebook. While threat actors have been using phishing emails to try to steal Facebook login credentials for years, we’ve recently seen an increase in more sophisticated phishing attacks, including the one outlined here.
Summary of Attack Target
- Platform: Google Workspace
- Email Security Bypassed: Inky
- Victims: Facebook Users
- Payload: Malicious Link
- Technique: Impersonation
About the Facebook Phishing Attack
Similar to a credential phishing scam we discussed in December 2020, this attack seeks to acquire login credentials from Facebook users by tricking them into believing their account will soon be disabled.
The phishing email informs the recipient that their account has been reported by multiple users for repeatedly posting content that violates Facebook’s policies. To avoid having their account disabled and their page removed, they must click on the link in the email to file an appeal.
When the recipient clicks on the link in the email, they are redirected to a Facebook post that ups the ante by telling them they only have 48 hours to respond. Within the post is a link to a credential phishing site disguised as a form to request an appeal.
As part of this fake appeals process, they must provide sensitive information, including their name and email address. When the recipient tries to submit the form, a popup appears asking them to enter their Facebook password. If they enter their password and click Continue, the attacker now has all of the information they need to access the target’s Facebook account.
Why This Facebook Credential Phishing Attack Is Unique
What makes this attack interesting (and particularly effective) is that the threat actors are leveraging Facebook’s actual infrastructure to execute the attack. Rather than sending the target straight to the phishing site via a link in the email, the attackers first redirect them to a real post on Facebook.
Because the threat actors use a valid Facebook URL in the email, it makes the landing page especially convincing and minimizes the chance the target will second-guess the legitimacy of the initial email.
In addition, it appears the attackers are targeting accounts of people who manage Facebook Pages for companies. For these individuals, a disabled Facebook account wouldn’t just be an inconvenience; it could have an impact on their marketing, branding, and revenue. If they believed their account was at risk, they would be particularly motivated to act quickly.
To further improve their chances of successfully stealing the target’s credentials, the threat actors use the Facebook post to raise the stakes and create an even greater sense of urgency. The fear of their account being disabled if action isn’t taken immediately is often enough by itself to convince recipients to provide their personal information—especially if they are using their Facebook account for business purposes.
But including an additional step that sends the recipient to an actual Facebook post first helps enhance the appearance of authenticity and increases the probability of the target believing their page is in danger of being removed.
The Impact of the Facebook Phishing Attack
With their login credentials, the threat actor can browse through the victim’s profile and collect a wide variety of information, including what might be the answers to security questions on other accounts. (After all, how many of our mothers have their maiden name somewhere on Facebook?) And if the recipient reused their Facebook password and email for other websites or apps, the attacker now has access to those as well.
Another way attackers can use this access is to impersonate the target and engage with their network and easily find more victims. Or, based on what they find within the Facebook account, they can extort the victim, asking them to pay a fine or risk their private information being sent to friends, family, or law enforcement.
This attack could be particularly devastating because, as mentioned above, it seems the attackers are singling out individuals who manage Facebook Pages for businesses. If the threat actor gains access, they can do long-term damage to the brand’s reputation.
Scary, right? And all from a simple phishing email.
Why Abnormal Remediated This Email
While the recipient's other email security solution did flag the email with “Potential Sender Forgery” and “Spam Content”, the platform did not properly remediate the email or render it inert.
Here’s why Abnormal stopped this email from being delivered:
The sender's display name and signoff matched a known brand (Facebook), but the sender's email was messaging-service[@]post.xero.com.
While the sender’s email was messaging-service[@]post.xero.com, the reply-to was a random Gmail address: qerasnumber1[@]gmail[.]com.
The body of the email contained language that indicated the sender was attempting to steal personal information.
Based on Abnormal’s analysis of the email content and the sender, the message was automatically remediated and was not delivered to the recipient’s inbox.
The Impact of Successful Facebook Phishing Attacks
Cybercriminals are constantly adapting their tactics and making it more difficult for targets to recognize attacks. And considering how common it is to reuse passwords for multiple accounts, a threat actor only has to be successful once to cause significant losses, for individuals and organizations alike.
The bottom line: think twice before entering your login information, especially if clicking through a link.