Researchers have uncovered a huge phishing campaign exploiting Facebook ads and GitHub pages. Through these baits, the attackers targeted over 615000 users stealing their accounts’ credentials.
Facebook Ads Phishing Campaign
Researchers from the Nepalese cybersecurity firm Threat Nix have shared details about their findings regarding a widespread Facebook ads phishing campaign in their post.
As revealed, they uncovered an orchestrated phishing campaign that targeted Facebook users with fake ads. On Facebook, such ads usually appear as sponsored posts from the pages belonging to various companies and sellers.
Since users often have no problem with these sponsored posts, in fact, they often view them to know details, it seems this interest lured the attackers behind the phishing campaign to exploit this feature.
Thus, as discovered, the attackers created various pages impersonating otherwise legit pages from different entities. These pages ran sponsored ads with shortened links that redirected to phishing websites hosted on GitHub pages.
The phishing sites mimicked the Facebook login page to steal users’ credentials that would then reach two endpoints. As described by the researchers,
All these static GitHub pages forwarded the phished credentials to two endpoints one to a Firestore database and another to a domain hosted on GoDaddy.
Sharing the examples, the researchers have highlighted one such post from the copied Nepal Telecom Facebook page (image shown below). Its sponsored ad offered free internet GBs to the users asking them to click on a shortened URL.
Regarding how this campaign executed successfully on Facebook, the researchers explain,
While Facebook takes measures to make sure that such phishing pages are not approved for ads, in this case the scammers were using Bitly link’s which initially must have pointed to a benign page and once the ad was approved, was modified to point to the phishing domain.
Asian Users Targeted The Most
According to the stats, Threat Nix observed that the phishing campaign targeted Asian users the most. Though, its overall impact reached out to Africa and Europe as well.
Predominantly, the victims belonged to Nepal, followed by the Philippines, Egypt, Pakistan, Mongolia, Norway, Tunisia, Iraq, Malaysia, and Algeria. Yet, the list showed credentials from users across 50+ countries.
Until the time of their disclosure, the campaign had already targeted over 615,000 users and was still going on. Whereas, the overall list of phished credentials added up to 100 entries every minute.
For now, the researchers have not shared further details as they work towards the removal of this phishing campaign.