A large scale ad phishing campaign that has compromised more than 6.15 lakh Facebook users' account was exposed by cybersecurity researchers. This ad phishing campaign is spread in at least 50 countries and reportedly the accounts are being compromised by exploiting the pages of open source repository GitHub.
ThreatNix which is a Nepal-based security firm, while giving insights into the attack, said that the number of affected users is rapidly increasing, at an unusual pace of over 100 entries per minute and the situation is expected to worsen furthermore if necessary steps are not taken in due time.
The researchers noted, "the phishing campaign by a sponsored Facebook post that was offering 3GB mobile data from Nepal Telecom and was redirecting to a phishing site hosted on GitHub page; the attackers created different pages imitating the legit pages from numerous entities. The attackers were using the profile picture and name of Nepal Telecom".
Additionally, the cybersecurity firm claimed in a statement this week, “similar Facebook posts were used to target the Facebook users from Pakistan, Tunisia, Norway, Malaysia, Philippines, and Norway”. As per the findings of the firm, this ad phishing campaign is using localized Facebook posts and sending links inside these Facebook posts which redirected to a static GitHub page website that contained a login panel for Facebook.
The cybersecurity researchers also noted that “after redirecting to a static GitHub page it forwarded the phished credentials to two endpoints one to a Firestore database and another to a domain which was owned by the phishing group”. The researchers also unearthed that nearly 500 GitHub repositories containing phishing pages are part of the identical phishing campaign.
According to cybersecurity firm ThreatNix, they are working in unison with other authorities to “bring down the phishing infrastructure by reserving the information related to the domain”. The attackers were using Bitly link’s which pointed towards a benign page and when the Facebook ad was approved it was getting converted to point to the phishing domain, they used Bitly’s link because now Facebook takes all necessary steps to ensure that such phishing pages are not approved for ads.