Security researchers are warning of an active Facebook Messenger phishing operation. Cyberint experts noticed a suspicious Facebook Messenger message, which led them to the identification of the campaign. As a result of it, users’ accounts are being exploited “to further propagate the phishing lure,” the report says.
Several Questions about the Facebook Messenger Phishing Campaign
How does the phishing lure look like?
The mechanism of the campaign is one we have seen plenty of times. It is presented as a link to a YouTube video sent from a contact known to the recipient.
If you are tricked into clicking on it, you get redirected through multiple websites that determine if you are on a mobile device. Researchers believe that such attempts are less noticeable on mobile devices. Finally, you will be presented with a Facebook phishing page, then you will go through some more redirects, and end up in the official Google Play Store.
What is the purpose of the campaign besides the theft of Facebook credentials? “The motivations or final objectives of the threat actor remain somewhat vague,” Cyberint says.
Furthermore, it is rather unusual that the phishing campaign doesn’t return the victim to the targeted site:
Aside from the potential for some kind of referral-fraud, assuming that the redirection chain passed the victim through websites offering affiliate schemes, it appears unusual for a phishing campaign to not culminate in the victim being returned to the targeted site.
What is known is that the harvested credentials are exploited to distribute the phishing campaign further. However, the researchers are unaware of whether fraudsters are after any other data or if related account fraud occurs.
What is the impact of this phishing operating?
A webpage statistics service used by the cybercriminals indicates that the scale of the operating is 450,000 pageviews. This data is valid as of 1700hrs UTC on 16 October 2020, the report notes.
In another phishing campaign detected in September, cyber fraudsters were targeting Microsoft Outlook credentials. Conveniently, the threat actors abused the current COVID-19 pandemic, masking the email messages as notes from a technical support team from a company the intended victims may work for. This shows that the criminals must have completed prior research to select the victims and plan the phishing messages’ layout.