Fake links and compromised messenger accounts: Investigating a recent Facebook phishing campaign

User login prompt caught on a fish hook

Phishing campaigns are a dime a dozen, but that doesn’t make them any less dangerous for the individuals and organizations affected by them.

Our Threat Intelligence Team recently discovered a campaign targeting social media users on Facebook Messenger, so we decided to take a closer look at the threat actor’s tactics, and the infrastructure used.

Enterprise risk

Whilst phishing attacks are often considered a consumer threat, many campaigns specifically target organizations and their supply chains.

Enterprises especially overlook vulnerabilities native to mobile and social media, either because they occur in employees’ personal networks or because they aren’t overtly linked to an organization’s overall security.

Large-scale threats caused by phishing attacks include:

  • compromised accounts used as an entry point to target employees further along the org chart and supply chain;
  • hijacked social profiles used to create reputation damage or leak sensitive information;
  • employee data opening the door for further attacks such as invoice fraud or malware propagation.

Attack Vectors

Fraudulent DMs

In the campaign we discovered, threat actors send phishing links to the contacts of previously compromised Facebook accounts.

These DMs include a short message referring to what appears to be a linked video. Whilst the domains contained within these links use differently themed typosquatting attack vectors (based on the phrase “tiktok”, for example), the content they preview is made to look like a Facebook post:

“Is that you in the film?” Example of a phishing message disguised as a contact’s DM
The link’s content previews as a video on Facebook

Clicking the phishing link sends users to a fake Facebook login page, seemingly to access the video in question.

When users enter their credentials, the data is forwarded to the threat actors, who access the user’s account for malicious purposes and to propagate the campaign via the victim’s Facebook contacts:

This fake login page is designed to steal your Facebook credentials

Those falling for the scam are left in the dark and are either shown an infinite loading screen, or a notification saying that a wrong password was entered.

Exploring the Domain Infrastructure

Investigating the campaign revealed that the initial IoC domain tiktok.e09rg[.]cloud was registered in Porkbun late last year and hosted on 69.57.163[.]217, an IP address on Namecheap (22612) ASN with multiple domains associated with the campaign pointing at it:

Domains hosted on 69.57.163[.]217

By tracking similar threat activity in different autonomous systems and using content similarity techniques, we were able to track additional phishing domains deployed by the threat actors. The domains in question, as well as all other relevant IOCs, are listed at the end of the article.

We found that the domains associated with the campaign all contain the words “tiktok”, “video”, or “photo”, and searched for infrastructure displaying the same naming conventions. This uncovered other malicious IPs such as:

Domains hosted on 190.92.189[.]249 showing the same naming pattern as on 69.57.163[.]217

These domains all point toward the same fake login page when accessed on mobile:

Same fake login page as above, different domain: video.tv1d30[.]sbs

Platform-specific threat

The campaign’s initial infrastructure suggested that it was designed to harvest mobile users’ Facebook credentials. Desktop users and users in certain locations are instead redirected away from the fake login pages.

Fake bicycle brand

We found most domains pointing to the landing page of a non-existent bicycle brand when accessed on desktop. The page has no functionality and only displays partial and repetitive information about the mock-up brand. It didn’t take much work for us to discover that the page is a free template taken from Dribble.

Though this decoy page doesn’t create any damage on its own, it helps to hide the scam from automated threat scanners and users within the wrong target audience, increasing the lifespan of the phish before it is noticed at scale, and reported.

Fake bicycle brand landing page shown to desktop users — switches back to the fake login page when viewed on mobile
Original Dribble template

Ad-ware extensions

The phishing domains are geo-blocked and redirect users away from the fake login pages depending on their location.

Users accessing the phishing links from Singapore, for example, are sent to buzzonclick[.]com.

This domain redirects to different fake ad blocker extensions each time it is accessed. These extensions are known adware platforms that perform a variety of harmful actions when downloaded, including:

  • populating websites with additional ads;
  • unexpectedly redirected users to different websites;
  • forcing the use of unwanted browser engines.

To appear more legitimate, the fake adblockers are installed via the official Google web store, some with over 90k registered downloads and a 4/5 star rating. Further research revealed related adware such as:

adblocker-sentinel[.]net

globaladblocker[.]com

adfreewatch[.]info

Example of one of the fake ad blockers in question: “Clean-Blocker”
Another fake ad blocker called “Ad Block One”
“Ad Block One” on the official Google web store
An extension with an incompleted domain setup

Redirects to YouTube

We found that some domains also redirect some mobile users based on their location:

Redirect to a popular music video via video3w[.]com/16751921325rpQpSopczqLtIaPdZKWG-bB7SeTbtDoIMd0jpjZAUjO5

Since the threat campaign is directed at mobile users, the above may be a temporary decoy or placeholder for further attacks.

Fake desktop login

As the campaign evolved, we discovered some domains displaying the fake Facebook login on desktop as well as on mobile, such as tiktok28.ykw3[.]com:

Fake login with same functionality as mobile counterparts

The domain is hosted on 170.10.160[.]83, where we uncovered more than 5000 other domains related to this campaign.

Tracking content and activity similarities uncovered related IoCs such as 190.92.189[.]251, which hosts 3retc[.]com and its subdomain tiktokl.3retc[.]com.

Optimizing for location and user agents

Whilst still launching at scale, phishing campaigns are increasingly deploying geo-blocking and mobile optimization tactics to hone in on specific target groups.

Threat actors are focusing on these TTPs for numerous reasons:

  1. It saves resources otherwise wasted on suboptimal targets.
  2. It increases effectiveness within the right audience.
  3. It reduces the attention drawn to the campaign and increases its longevity.

Except for the third point, this is the same thinking that digital marketers use when localizing the content and language of their ad campaigns and optimizing them for an increasingly mobile landscape.

Takeaways

Phishing attacks remain a persistent threat to all enterprises, regardless of revenue, size, or headcount. The campaign investigated in this article is only one of many recent Facebook scams focused on stealing user credentials through fraudulent links and DMs.

Threat actors constantly adjust their campaigns to match changing digital habits, and better exploit enterprise vulnerabilities. Next to employee training, it is key to stay informed about the security tools available to your organization to stay ahead of potential attacks.

This campaign was uncovered using the Silent Push App and dataset. Silent Push enables businesses to detect malicious infrastructure before it is activated, and proactively check for vulnerabilities within their digital presence.


Sign up here

Take advantage of Silent Push’s vast array of threat defense tools by signing up for our free Community App.

Indicators of Compromise

Below is a categorized list of the IoCs discussed in this article. Please note that the actual number of IoCs is far greater.

We track several malicious groups and threats. Comprehensive lists of real-time IoCs relating to the Facebook campaign and others are available with a Silent Push Enterprise Subscription.

Enterprise users can search for IoCs related to this campaign using the tag sp-blog-2023-03-21.

Browse our complete Threat Intelligence Catalog here.

Domains

adblocker-sentinel[.]net

adfreewatch[.]info

buzzonclick[.]com

globaladblocker[.]com

newwvideos[.]com

photo.asf5[.]sbs

tiktok.0dtlvs[.]cloud

tiktok.2rkb[.]cloud

tiktok.4fbg.cloud

tiktok.4ope9v[.]cloud

tiktok.8rghj[.]cloud

tiktok.8rghj[.]sbs

tiktok.bdwnl[.]cloud

tiktok.dahaak.sbs

tiktok.dfh5[.]sbs

tiktok.fre3[.]sbs

tiktok.km8j[.]sbs

tiktok.sd4rge[.]cloud

tiktok.ss4gy[.]cloud

tiktoks.0dtlvs[.]cloud

tiktoks.ae4eg[.]cloud

tiktoks.dfh5[.]sbs

tiktoks.rhlm4[.]cloud

video.tv1d30[.]sbs

videolass[.]com

videolost21[.]com

videosdidi[.]com

videospriv8[.]com

workspacevideo[.]email

IPs

69.57.163[.]217

190.92.189[.]249