A massive phishing campaign was discovered that could have earned its operators millions of dollars through affiliate advertising commissions.
Discovered by AI-focused cybersecurity firm PIXM in September 2021, before its peak in April and May 2022, the campaign leveraged Facebook’s Messenger service, legitimate URL shortener services, and webpages with ads and researches.
The premise is simple: the crooks created several phishing sites where victims would be lured into providing their Facebook credentials. After that, two things would happen. One – they would be redirected to a website with ads, surveys and other means of generating revenue for the operators and two – the victims’ Facebook accounts (opens in new tab) would be used to further publicize the campaign, via Messenger.
Bypassing Facebook’s Protections
Messenger is generally relatively good at detecting and killing phishing links, but criminals managed to get around (opens in new tab) the defense mechanism with legitimate URL shortening services such as litch.me, famous.co, amaze.co, and funnel-preview.com, the researchers found.
The entire campaign, it seems, was automated, with very little interference from the campaign’s masterminds.
“A user’s account would be compromised and, likely in an automated fashion, the threat actor would log into that account and send the link to the user’s friends via Facebook Messenger,” PIXM said.
Digging deeper, PIXM found one of the phishing pages that hosts a link to a public and open traffic monitoring app. Through the app, they found that in 2021, 2.7 million users visited one of the phishing sites, increasing to 8.5 million this year.
A total of 405 unique usernames were used as campaign identifiers, which is likely not the total number of accounts used for the campaign.
PIXM also found a code snippet common to all phishing pages that referenced a website seized and shut down by law enforcement agencies. Allegedly, it belongs to a Colombian man, Rafael Dorado, against whom an investigation is ongoing.
Details on the earnings are sparse, but the researchers say they are “in the millions.”
Through: BleepingComputer (opens in new tab)