Phishers are looking to trick owners of Facebook pages with fake notices from the social network (i.e., Meta, the company behind Facebook, Instagram and WhatsApp), in an attempt to get them to part with sensitive information.
The method they are using to harvest information is quite clever: they create a lead generation form via the Meta Ads Manager and include the link to it in the phishing email.
Such a link makes it less likely that email security solutions will flag the email as potentially malicious, and can also give a false sense of security to the potential targets, as the email ostensibly came from Facebook and contains a link to a page hosted on Facebook.
“Our researchers have been consistently tracking phishing emails that come from legitimate sources,” says Jeremy Fuchs, a cybersecurity researcher at Avanan.
Hackers often leverage sites that appear on email security services’ Allow lists – and Facebook is one of those. “So a link from Facebook would appear to be legitimate and not scanned for further malicious content,” he explained.
The phishing emails
Avanan has spotted two types of phishing emails with links to a lead generation form on Facebook:
- A (fake) notification saying that one of the users’ ads was reported because it does not comply with Meta’s advertising policies, and a threat that their ad account will be disabled if they don’t fill an appeal form
If one knows what to look for, there are many discrepancies that make it obvious the emails have not been sent by Meta or the “Media Operations Team Facebook”: grammatical and stylistic mistakes, the emails coming from an Outlook domain and addressed to “Dear User” (and not to the specific user), the threat of account disabling, the attempt to create a sense of urgency…
But unfortunately, just the fact that the phishing link points to Facebook can be enough to fool some users.
Fuchs told Help Net Security that the phishers are not specifically targeting known owners of Facebook ad accounts. Instead, the emails – and there’s a lot of them – are sent indiscriminately, obviously hoping to hit that specific category of users.
The fake appeal forms might ask for any type of information, including account login credentials and credit card information. With the former, attackers may hijack victims’ Facebook ad account and use it for attacks at a later date (e.g., to create phishing forms, push malicious ads on Facebook and Instagram, etc.)