Wave light green 4 FINAL

Attackers Use Legitimate Facebook Infrastructure for Credential Phishing

While phishing emails have long been a popular way to steal Facebook login credentials, we’ve recently seen an increase in more sophisticated phishing attacks.

April 20, 2022

With nearly three billion active users across the globe, it’s no wonder that cybercriminals love to impersonate Facebook. While threat actors have been using phishing emails to try to steal Facebook login credentials for years, we’ve recently seen an increase in more sophisticated phishing attacks, including the one outlined here.

Summary of Attack Target

  • Platform: Google Workspace
  • Email Security Bypassed: Inky
  • Victims: Facebook Users
  • Payload: Malicious Link
  • Technique: Impersonation

About the Facebook Phishing Attack

Similar to a credential phishing scam we discussed in December 2020, this attack seeks to acquire login credentials from Facebook users by tricking them into believing their account will soon be disabled.

The phishing email informs the recipient that their account has been reported by multiple users for repeatedly posting content that violates Facebook’s policies. To avoid having their account disabled and their page removed, they must click on the link in the email to file an appeal.

Facebook phishing email with redirect link

When the recipient clicks on the link in the email, they are redirected to a Facebook post that ups the ante by telling them they only have 48 hours to respond. Within the post is a link to a credential phishing site disguised as a form to request an appeal.

Fake Facebook page for credential phishing

As part of this fake appeals process, they must provide sensitive information, including their name and email address. When the recipient tries to submit the form, a popup appears asking them to enter their Facebook password. If they enter their password and click Continue, the attacker now has all of the information they need to access the target’s Facebook account.

Why This Facebook Credential Phishing Attack Is Unique

What makes this attack interesting (and particularly effective) is that the threat actors are leveraging Facebook’s actual infrastructure to execute the attack. Rather than sending the target straight to the phishing site via a link in the email, the attackers first redirect them to a real post on Facebook.

Because the threat actors use a valid Facebook URL in the email, it makes the landing page especially convincing and minimizes the chance the target will second-guess the legitimacy of the initial email.

In addition, it appears the attackers are targeting accounts of people who manage Facebook Pages for companies. For these individuals, a disabled Facebook account wouldn’t just be an inconvenience; it could have an impact on their marketing, branding, and revenue. If they believed their account was at risk, they would be particularly motivated to act quickly.

To further improve their chances of successfully stealing the target’s credentials, the threat actors use the Facebook post to raise the stakes and create an even greater sense of urgency. The fear of their account being disabled if action isn’t taken immediately is often enough by itself to convince recipients to provide their personal information—especially if they are using their Facebook account for business purposes.

But including an additional step that sends the recipient to an actual Facebook post first helps enhance the appearance of authenticity and increases the probability of the target believing their page is in danger of being removed.

The Impact of the Facebook Phishing Attack

With their login credentials, the threat actor can browse through the victim’s profile and collect a wide variety of information, including what might be the answers to security questions on other accounts. (After all, how many of our mothers have their maiden name somewhere on Facebook?) And if the recipient reused their Facebook password and email for other websites or apps, the attacker now has access to those as well.

Another way attackers can use this access is to impersonate the target and engage with their network and easily find more victims. Or, based on what they find within the Facebook account, they can extort the victim, asking them to pay a fine or risk their private information being sent to friends, family, or law enforcement.

This attack could be particularly devastating because, as mentioned above, it seems the attackers are singling out individuals who manage Facebook Pages for businesses. If the threat actor gains access, they can do long-term damage to the brand’s reputation.

Scary, right? And all from a simple phishing email.

Why Abnormal Remediated This Email

While the recipient's other email security solution did flag the email with “Potential Sender Forgery” and “Spam Content”, the platform did not properly remediate the email or render it inert.

Here’s why Abnormal stopped this email from being delivered:

  • The sender's display name and signoff matched a known brand (Facebook), but the sender's email was messaging-service[@]post.xero.com.

  • While the sender’s email was messaging-service[@]post.xero.com, the reply-to was a random Gmail address: qerasnumber1[@]gmail[.]com.

  • The body of the email contained language that indicated the sender was attempting to steal personal information.

Facebook Phishing Threat Analysis from Abnormal

Based on Abnormal’s analysis of the email content and the sender, the message was automatically remediated and was not delivered to the recipient’s inbox.

The Impact of Successful Facebook Phishing Attacks

Cybercriminals are constantly adapting their tactics and making it more difficult for targets to recognize attacks. And considering how common it is to reuse passwords for multiple accounts, a threat actor only has to be successful once to cause significant losses, for individuals and organizations alike.

The bottom line: think twice before entering your login information, especially if clicking through a link.


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 10 3 22 Cobalt Terrapin Blog
Threat group Cobalt Terrapin uses sophisticated impersonation techniques with multiple steps to commit invoice fraud.
Read More
B 09 29 22 CISO Cybersecurity Awareness Month
October is here, which means Cybersecurity Awareness Month is officially in full swing! These five tips can help security leaders take full advantage of the month.
Read More
B Email Security Challenges Blog 09 26 22
Understanding common email security challenges caused by your legacy technology will help you determine the best solution to improve your security posture.
Read More
B 5 Crucial Tips
Retailers are a popular target for threat actors due to their wealth of customer data and availability of funds. Here are 5 cybersecurity tips to help retailers reduce their risk of attack.
Read More
B 3 Essential Elements
Legacy approaches to managing unwanted mail are neither practical nor scalable. Learn the 3 essential elements of modern, effective graymail management.
Read More
B Back to School
Discover how threat group Chiffon Herring leverages impersonation and spoofed email addresses to divert paychecks to mule accounts.
Read More
B 09 06 22 Rearchitecting a System Blog
We recently shared a look at how the Abnormal engineering team overhauled our Unwanted Mail service architecture to accommodate our rapid growth. Today, we’re diving into how the team migrated traffic to the new architecture—with zero downtime.
Read More
B Industry Leading CIS Os
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 12 innovative and influential thought leaders on social media.
Read More
B Podcast Engineering 11 08 24 22
In episode 11 of Abnormal Engineering Stories, David Hagar, Director of Engineering and Abnormal Head of UK Engineering, continues his conversation with Zehan Wang, co-founder of Magic Pony.
Read More