Huge Fb Messenger phishing operation generates thousands and thousands


Researchers have uncovered a large-scale phishing operation that abused Fb and Messenger to lure thousands and thousands of customers to phishing pages, tricking them into getting into their account credentials and seeing ads.

The marketing campaign operators used these stolen accounts to ship additional phishing messages to their mates, producing vital income by way of internet marketing commissions.

In keeping with PIXM, a New York-based AI-focused cybersecurity agency, the marketing campaign peaked in April-Could 2022 however has been energetic since no less than September 2021.

PIXM was in a position to hint the risk actor and map the marketing campaign as a result of one of many recognized phishing pages internet hosting a hyperlink to a site visitors monitoring app ( that was publicly accessible ithout authentication.

Huge scale of abuse

Whereas it’s unknown how the marketing campaign initially began, PIXM states victims arrived at phishing touchdown pages from a collection of redirects originating from Fb Messenger.

As extra Fb accounts have been stolen, the risk actors used automated instruments to ship additional phishing hyperlinks to the compromised account’s mates, creating huge progress in stolen accounts.

“A person’s account could be compromised and, in a probable automated trend, the risk actor would log in to that account and ship out the hyperlink to the person’s mates by way of Fb Messenger,” explains PIXM within the report.

Whereas Fb has safety measures to cease the dissemination of phishing URLs, the risk actors used a trick to bypass these protections.

The phishing messages used official URL technology providers resembling,,, and, which might be an issue to dam as official apps use them.

Some of the URLs used in the phishing campaign
Among the URLs used within the phishing marketing campaign (PIXM)

After discovering that they may achieve unauthenticated entry to the phishing marketing campaign stats pages, the researchers discovered that in 2021, 2.7 million customers had visited one of many phishing portals. This determine went as much as 8.5 million in 2022, reflecting the huge progress of the marketing campaign.

Snap from the dashboard of the analytics service
Snap from the dashboard of the uncovered analytics service (PIXM)

By diving deeper, the researchers recognized 405 distinctive usernames used as marketing campaign identifiers, every having a separate Fb phishing web page. These phishing pages had web page views starting from solely 4,000 views to some within the thousands and thousands, with one as excessive as 6 million web page views.

Sample of the identified disemination users
Pattern of the recognized dissemination customers (PIXM)

The researchers imagine that these 405 usernames signify solely a fraction of the accounts used for the marketing campaign.

After the sufferer enters their credentials on the phishing touchdown web page, a brand new spherical of redirections begins, taking them to promoting pages, survey kinds, and so on.

One of the ads the phised users end up on
One of many advertisements confirmed to phished customers (PIXM)

The risk actors obtain referral income from these redirects, that are estimated to be thousands and thousands of USD at this scale of operation.

Tracing the risk actor

PIXM discovered a typical code snippet on all touchdown pages, which contained a reference to a web site that has been seized and constitutes a part of an investigation towards a Colombian man recognized as Rafael Dorado.

Website belonging to the campaign operator
Web site belonging to the marketing campaign operator

It’s unclear who seized the area and positioned the discover on the location.

A reverse whois lookup revealed hyperlinks to a official internet growth firm in Colombia and previous websites providing Fb “like bots” and hacking providers.

PIXM shared the outcomes of its investigation with the Colombian Police and Interpol, however as they word, the marketing campaign remains to be ongoing, despite the fact that most of the recognized URLs have gone offline.

Recent Articles


Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox