According to researchers at PIXM, Facebook is the launching place for a large-scale phishing campaign that first reared its head back in September 2021. The phishing campaign has estimated revenue in the millions of USD at this scale of operation from page views and ad referrals.

Credential harvesting on a grand scale

To help achieve the enormous amount of revenue threat actors were able to steal one million Facebook credentials in just four months, according to the claims of researchers.

The attempts are fairly typical of what you expect to see from a Facebook phishing tactics. In other words, their bogus links are not very original. But unfortunately, what worries us is that it works. And when these tactics can trick so many Facebook users, it’s no wonder the threat actors don’t try something new.

Meanwhile one scam attracted around 2.7 million users in 2021, and in 2022 its number is now 8.5 million. But it is a bit surprising as to why this site hasn’t been taken down for abuse especially with such high numbers. Certainly, not mucking around, this phishing campaign. It’s serious!

How the phish worked

Some of the specifics are missing in a few areas, unfortunately. But here’s the gist of how it works.

Firstly, a Facebook user receives a ping via Messenger with a fairly basic rogue link. We’re not sure if a message accompanies it or what it says, as there is no information. But these are routinely used in Facebook scams, some simple messages:

  • Seen this?
  • Is this you in the photo?
  • Guess who died?
  • Check this out!

Secondly, the links are shortened. And this helps to avoid the spam filters that Facebook use. Meanwhile, they are popular, common and legitimate – shortening services. In other words, it makes it difficult for Facebook to decide whether the link is OK or not.

The main aim is to take the potential victim to a phishing page, but it goes to a variety of sites. But once the victim is phished, they are sent somewhere else. For example, a survey scam, a promotion, or anything that is ad centric. On top of the threat of being phished, there’s also the mention of potential malvertising pages. Meanwhile, the links have ad trackers and other ad-related forms, so they are generating revenue.

Current state of play

Apparently, the campaign is still very much alive and kicking, according to PIXM. But things have changed a little as many sites have been taken down while one site has been “seized” in relation to an investigation.

Importantly, without dedicated resources and law enforcement getting convictions against these threat actors these phishing scams just won’t go away.

For the threat actors it just too easy and profitable to keep doing what they do, creating spam domains, signing up as an affiliate, and generating endless shortened URLs, without any form of punishment. For instance, they are earning $150 for every thousands visits from the US, that’s $150,000 for every million people who click on their site. Certainly, the threat actors are incentivised to keep going.

If figures are right, the researchers estimate that from the end of 2021 to now the revenue raise is $59 million. Wow!

Tips to avoid Facebook phishing

  • Be wary of messages that are sent at unusual times, out of the blue or don’t flow naturally with the conversation. Any out of the blue messages with a link should be treated with caution
  • If you’re presented with a “Login to view content” box, don’t go any further. There should be no reason why you’d be asked to login again If you’re already logged in. Check the URL. Are you on Facebook.com, or an unrelated website?
  • If you’re able to, ask the sender about their message away from Facebook.
  • Enable 2-factor authentication (2FA). If you give your password to a phishing page, the phisher can’t do much with it while you’re protected with 2FA. But keep in mind that some phishing sites will also try to steal your password and 2FA code.
  • Add login alerts to your Facebook account. That way you’ll be notified by Facebook as soon as someone tries compromise your login credentials and access your account.

Want insights like this in your mailbox? Join our monthly mailing list

How can we make your business better with IT?