A social-engineering campaign bent on stealing Facebook account credentials and victim phone numbers is targeting business pages via a savvy campaign that incorporates Facebook's Messenger chatbot feature.
That's according to an analysis from Trustwave SpiderLabs. Karl Sigler, senior security research manager there, tells Dark Reading that the campaign is notable for its interactivity, and how much more complex the social-engineering aspects of phishing campaigns have gotten.
"You don't just click on a link and then be prompted to download an executable — most people are going to understand that's an attack and not click on it," he explains. "In this attack, it's a link that leads you to a tech-support-type channel asking for information that you would expect tech support to ask for, and that ramping up of the social-engineering aspect is relatively new with these types of campaigns."
Interactive & Seemingly Legitimate: A New Face of Phishing
According to the research, the attacks start with emails, as they often do. The emails claim that user pages will be terminated in 48 hours due to a violation of Facebook's community standards — a savvy lure, researchers pointed out, given that the social-media giant has been vocal about its efforts to clamp down on rules-breakers.
The sender, purporting to be from Facebook's support team, claims to be giving users a chance to appeal, and offers an "Appeal Now" button to click directly from the email. If one hovers over the button, the URL uses Meta's legitimate URL-shortening service (which uses the convention "m.me"). If users click, they're taken to a real Messenger conversation with a chatbot.
The chatbot claims to be a representative of the Facebook support team, and presents another "Appeal Now" button to victims. The embedded link takes users to a new tab to a website hosted in Google Firebase.
"Firebase is an application development software that provides developers with a variety of tools to help build, improve, and grow the app [making it] easy for anyone to create and publish webpages," according to Trustwave's Tuesday analysis. "Spammers take advantage of this availability, and in this case, they built a website disguised as a Facebook 'Support Inbox,' where the user can purportedly appeal the supposed deletion of their page."
On this page, now-victims are asked to enter their email address or mobile number, first and last name, and page name. An additional text box for a phone number is displayed even though a mobile number is already being asked in the first text box. After pressing a "Submit" button, a pop-up window appears asking for the victims' passwords.
All of the data is of course sent directly to the cybercrooks' database.
The last link of the attack chain involves a bogus two-factor authentication gambit — users are presented with a pop-up box asking for a code, and are told they'll be sent a one-time password, which the attackers do since they've been able to capture victims' email and phone data.
Finally, the page will then redirect to the actual Facebook Help Center.
Bolstering Trustability in Phishing
One of the aspects that makes this campaign so effective is the fact that chatbots are a common feature of digital marketing and live support these days, and people are not inclined to be suspicious of their contents, especially if they come from a seemingly genuine source.
"The campaign uses the actual Facebook chat mechanism," Sigler says. "When you click the link in the email and it takes you literally to Facebook, and you can see your account profile up top, you can see that it's Facebook, you can look at the URL and it's got the nice little lock up-top that lends trust. The supporting says Page support. They've given me a case number. And that's often enough to break down those the barriers that a lot of people put up to identify the red flags associated with phishing."
Sigler warns that attacks like these can be especially risky for business-page owners in particular.
"This could be leveraged very well in a targeted-type of attack," he notes. "If I know an organization has standardized on specific messaging clients, whether it's Skype or Teams or Signal, I can start to craft a campaign specific to that messaging platform."
Cybercriminals can cause plenty of damage for business users with Facebook credentials and phone numbers, Sigler adds.
"If the person who is in charge of your social networking falls for this type of scam, suddenly, your entire business page may be defaced, or they could leverage access to that business page to gain access directly to your customers using the legitimacy of that Facebook presence," he explains. "They'll also probably go after additional network access and data."
Phishing Defense with User Awareness Training: Still Effective
The use of valid infrastructure to propagate such attacks is a sign of things to come in phishing, Sigler notes.
"A lot of times, these types of attacks will use cloned sites or those typosquatted domains that look like Facebook, but it's actually 'Facebock,' let's say," he says. "Going forward, we're going to continue to see a trend of attacks coming from traditionally valid sources, and it's going to be harder and harder to distinguish these campaigns because of that legitimacy level that they're piggybacking on top of."
That said, it's worth noting that this particular campaign was not without its suspicious red flags. For instance, the emails have grammatical problems, such as the improper capitalization of the word "Page," and the missing period at the end of the third sentence, researchers pointed out. And in the email header, the sender is named as "Policy Issues," but the sender domain does not belong to Facebook. It is also evident in the email's Received headers and sender IP address that it was not sent by the social media platform.
There are also problems when users are taken to the purported support page.
"Closer inspection of the profile owning the page will reveal that this is not an actual support page," according to the research. "The profile used is just a normal business/fan page with zero followers and no posts. Even though this page may seem unused, it had a 'Very Responsive' badge which Facebook defines as having a response rate of 90% and responds within 15 minutes. It even sported a Messenger logo as its profile picture to appear legitimate."
"While this type of attack is a little bit clumsy from my point of view, and I think a lot of people would see through it because of the red flags, I think that this is a start and I think that they're going to get much more clever," Sigler warns.
Thus, the best defense is to focus on user phishing training, Sigler advocates.
"More than 95% of compromises are initially started with somebody clicking on the wrong link in a phishing email," Sigler notes. "Hopefully organizations are having ongoing security awareness training, because the only thing you can do to patch for this type of attack is educate your users. So, it's important to revisit your security-awareness program, to take a look at what you're currently teaching your employees and users about phishing attacks, and make sure that it's up-to-date and includes some of these more complex campaigns."