A large scale ad phishing campaign that has compromised more
than 6.15 lakh Facebook users' account was exposed by cybersecurity
researchers. This ad phishing campaign is spread in at least 50
countries and reportedly the accounts are being compromised by
exploiting the pages of open source repository GitHub.
ThreatNix which is a Nepal-based security firm, while giving
insights into the attack, said that the number of affected users is
rapidly increasing, at an unusual pace of over 100 entries per
minute and the situation is expected to worsen furthermore if
necessary steps are not taken in due time.
The researchers noted, "the phishing campaign by a sponsored
Facebook post that was offering 3GB mobile data from Nepal Telecom
and was redirecting to a phishing site hosted on GitHub page; the
attackers created different pages imitating the legit pages from
numerous entities. The attackers were using the profile picture and
name of Nepal Telecom".
Additionally, the cybersecurity firm claimed in a statement this
week, “similar Facebook posts were used to target the Facebook
users from Pakistan, Tunisia, Norway, Malaysia, Philippines, and
Norway”. As per the findings of the firm, this ad phishing campaign
is using localized Facebook posts and sending links inside these
Facebook posts which redirected to a static GitHub page website
that contained a login panel for Facebook.
The cybersecurity researchers also noted that “after
redirecting to a static GitHub page it forwarded the phished
credentials to two endpoints one to a Firestore database and
another to a domain which was owned by the phishing group”. The
researchers also unearthed that nearly 500 GitHub repositories
containing phishing pages are part of the identical phishing
campaign.
According to cybersecurity firm ThreatNix, they are working in unison with other authorities to “bring down the phishing infrastructure by reserving the information related to the domain”. The attackers were using Bitly link’s which pointed towards a benign page and when the Facebook ad was approved it was getting converted to point to the phishing domain, they used Bitly’s link because now Facebook takes all necessary steps to ensure that such phishing pages are not approved for ads.
Read more https://www.ehackingnews.com/2021/01/615-lakh-facebook-users-account.html
