A large-scale ad scam targeting Facebook users from Egypt, the Philippines, Pakistan, and Nepal in an effort to steal their passwords has been discovered by researchers from ThreatNix. The ads used specific products or services that could be considered legitimate in the targeted countries in an effort to make them seem more believable, and it worked. In total, more than 615,000 users fell for the scams and had their login credentials stolen. Users who clicked on the link were sent to a Github page made to look like the login area for Facebook. If credentials were entered, they were transferred to the scammers through a Firestore database. A portion of a blog post from ThreatNix regarding the placement of the ads said, “While Facebook takes measures to make sure that such phishing pages are not approved for ads, in this case the scammers were using Bitly links which initially must have pointed to a benign page and once the ad was approved, was modified to point to the phishing domain.” Further research revealed around 500 repositories on Github being used to host phishing pages associated with this scam campaign.
Users on Facebook, or any other site that uses ads should use extreme caution when clicking any advertisement or other link leading to any web page that asks for a password. It is normal to be skeptical when ads pop up. If visiting an ad link, do not input credentials or payment information until the site being visited can be verified. If in doubt, do not enter passwords. If a password may have been stolen, it is important to change that password everywhere that it has been used. It is best to set up Multi-Factor Authentication (MFA) for every account that allows it. This will prevent attackers from being able to use a stolen or guessed password to access an account, since the attacker won’t have access to the phone that is required to get the one-time codes to log in. Using a password manager also helps avoid the common mistake of re-using the same password for multiple services.