A large-scale ad scam targeting Facebook users from Egypt, the Philippines, Pakistan, and Nepal in an effort to steal their passwords has been discovered by researchers from ThreatNix. The ads used specific products or services that could be considered legitimate in the targeted countries in an effort to make them seem more believable, and it worked. In total, more than 615,000 users fell for the scams and had their login credentials stolen. Users who clicked on the link were sent to a Github page made to look like the login area for Facebook. If credentials were entered, they were transferred to the scammers through a Firestore database. A portion of a blog post from ThreatNix regarding the placement of the ads said, “While Facebook takes measures to make sure that such phishing pages are not approved for ads, in this case the scammers were using Bitly links which initially must have pointed to a benign page and once the ad was approved, was modified to point to the phishing domain.” Further research revealed around 500 repositories on Github being used to host phishing pages associated with this scam campaign.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased