Wave light green 4 FINAL

Attackers Use Legitimate Facebook Infrastructure for Credential Phishing

While phishing emails have long been a popular way to steal Facebook login credentials, we’ve recently seen an increase in more sophisticated phishing attacks.

April 20, 2022

With nearly three billion active users across the globe, it’s no wonder that cybercriminals love to impersonate Facebook. While threat actors have been using phishing emails to try to steal Facebook login credentials for years, we’ve recently seen an increase in more sophisticated phishing attacks, including the one outlined here.

Summary of Attack Target

  • Platform: Google Workspace
  • Email Security Bypassed: Inky
  • Victims: Facebook Users
  • Payload: Malicious Link
  • Technique: Impersonation

About the Facebook Phishing Attack

Similar to a credential phishing scam we discussed in December 2020, this attack seeks to acquire login credentials from Facebook users by tricking them into believing their account will soon be disabled.

The phishing email informs the recipient that their account has been reported by multiple users for repeatedly posting content that violates Facebook’s policies. To avoid having their account disabled and their page removed, they must click on the link in the email to file an appeal.

Facebook phishing email with redirect link

When the recipient clicks on the link in the email, they are redirected to a Facebook post that ups the ante by telling them they only have 48 hours to respond. Within the post is a link to a credential phishing site disguised as a form to request an appeal.

Fake Facebook page for credential phishing

As part of this fake appeals process, they must provide sensitive information, including their name and email address. When the recipient tries to submit the form, a popup appears asking them to enter their Facebook password. If they enter their password and click Continue, the attacker now has all of the information they need to access the target’s Facebook account.

Why This Facebook Credential Phishing Attack Is Unique

What makes this attack interesting (and particularly effective) is that the threat actors are leveraging Facebook’s actual infrastructure to execute the attack. Rather than sending the target straight to the phishing site via a link in the email, the attackers first redirect them to a real post on Facebook.

Because the threat actors use a valid Facebook URL in the email, it makes the landing page especially convincing and minimizes the chance the target will second-guess the legitimacy of the initial email.

In addition, it appears the attackers are targeting accounts of people who manage Facebook Pages for companies. For these individuals, a disabled Facebook account wouldn’t just be an inconvenience; it could have an impact on their marketing, branding, and revenue. If they believed their account was at risk, they would be particularly motivated to act quickly.

To further improve their chances of successfully stealing the target’s credentials, the threat actors use the Facebook post to raise the stakes and create an even greater sense of urgency. The fear of their account being disabled if action isn’t taken immediately is often enough by itself to convince recipients to provide their personal information—especially if they are using their Facebook account for business purposes.

But including an additional step that sends the recipient to an actual Facebook post first helps enhance the appearance of authenticity and increases the probability of the target believing their page is in danger of being removed.

The Impact of the Facebook Phishing Attack

With their login credentials, the threat actor can browse through the victim’s profile and collect a wide variety of information, including what might be the answers to security questions on other accounts. (After all, how many of our mothers have their maiden name somewhere on Facebook?) And if the recipient reused their Facebook password and email for other websites or apps, the attacker now has access to those as well.

Another way attackers can use this access is to impersonate the target and engage with their network and easily find more victims. Or, based on what they find within the Facebook account, they can extort the victim, asking them to pay a fine or risk their private information being sent to friends, family, or law enforcement.

This attack could be particularly devastating because, as mentioned above, it seems the attackers are singling out individuals who manage Facebook Pages for businesses. If the threat actor gains access, they can do long-term damage to the brand’s reputation.

Scary, right? And all from a simple phishing email.

Why Abnormal Remediated This Email

While the recipient's other email security solution did flag the email with “Potential Sender Forgery” and “Spam Content”, the platform did not properly remediate the email or render it inert.

Here’s why Abnormal stopped this email from being delivered:

  • The sender's display name and signoff matched a known brand (Facebook), but the sender's email was messaging-service[@]post.xero.com.

  • While the sender’s email was messaging-service[@]post.xero.com, the reply-to was a random Gmail address: qerasnumber1[@]gmail[.]com.

  • The body of the email contained language that indicated the sender was attempting to steal personal information.

Facebook Phishing Threat Analysis from Abnormal

Based on Abnormal’s analysis of the email content and the sender, the message was automatically remediated and was not delivered to the recipient’s inbox.

The Impact of Successful Facebook Phishing Attacks

Cybercriminals are constantly adapting their tactics and making it more difficult for targets to recognize attacks. And considering how common it is to reuse passwords for multiple accounts, a threat actor only has to be successful once to cause significant losses, for individuals and organizations alike.

The bottom line: think twice before entering your login information, especially if clicking through a link.

To learn more about how Abnormal was able to stop this Facebook phishing attack, request a demo of the platform today.


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More
B 05 17 22 Impersonation Attack
See how threat actors used a single mailbox compromise and spoofed domains to subtly impersonate individuals and businesses to coerce victims to pay fraudulent vendor invoices.
Read More
B 05 14 22 Best Workplace
We are over the moon to announce Abnormal has been named one of Inc. Magazine's Best Workplaces of 2022! Learn more about our commitment to our workforce.
Read More
B 05 13 22 Spring Product Release
This quarter, the team at Abnormal launched new features to improve lateral attack detection, role-based access control (RBAC), and explainable AI. Take a deep dive into all of the latest product enhancements.
Read More
B 05 11 22 Champion Finalist
Abnormal has been selected as a Security Customer Champion finalist in the Microsoft Security Excellence Awards! Here’s a look at why.
Read More
Blog series c cover
When we raised our Series B funding 18 months ago, I promised our customers greater value, more capabilities, and better customer support. We’ve delivered on each of those promises and as we receive an even larger investment, I’m excited about how we can continue to further deliver on each of them.
Read More
B 05 09 22 Partner Community
It’s an honor to be named one of CRN’s 2022 Women of the Channel. Here’s why I appreciate the award and what I love about being a Channel Account Manager at Abnormal.
Read More
B 05 05 22 Fast Facts
Watch this short video to learn current trends and key issues in cloud email security, including how to protect your organization against modern threats.
Read More
B 05 03 22
Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.
Read More
B 04 28 22 8 Key Differences
At Abnormal, we pride ourselves on our excellent machine learning engineering team. Here are some patterns we use to distinguish between effective and ineffective ML engineers.
Read More
B 04 26 22 Webinar Re Replacing Your SEG
Learn how Microsoft 365 and Abnormal work together to provide comprehensive defense-in-depth protection in part two of our webinar recap.
Read More
Blog mitigate threats cover
Learn about the most common socially-engineered attacks and why these tactics are still so successful—despite a growing awareness from employees.
Read More