Facebook was discovered to be under the radar of phishing campaigns spread across on a wide scale.
Facebook was discovered to be under the radar of phishing campaigns spread across on a wide scale.
“Is that you” is the name of this phishing scam circulating through various forms over the network of Facebook and has been actively victimizing the user for even before 2017.
CyberNews publicized by discovering this phishing operation through their recent investigation, stating that:
Our investigation into a malicious Facebook Messenger message uncovered a large-scale phishing operation on Facebook. We also potentially identified the threat actor behind the phishing campaign and his intentions.
The distinctive working principle of this Phishing scam began through a typical Facebook message in which a "Friend" allegedly claims to have found a video or image with you featured in it. In this process, the received message is often found to be in the video format when clicked redirects promptly through a chain of infected websites with malicious scripts, which helps the attacker to determine the user's location, their device type, and the OS version. After procuring these sensitive details, it lands you on a malicious Facebook phishing page for collecting other credentials and, depending on the device; it infects with adware or other malware.
With over 480,000 potential victims exceeding exponentially since its beginning from 26th January 2020 where 77% of the victims are from Germany. It's quite apparent that the attackers are primarily targeting the users of Germany based on that CyberNews reached out to the law enforcement agencies, including CERT Germany, Facebook, wal.ee (the URL shortener service used by the threat actor), and the Dominican Republic’s cyber police regarding the phishing incident.
However, it wasn't sure whether the threat actors are only confined to compromised contacts of victims on Facebook messenger or planning something malicious to a mass extent. Besides, amid the ongoing investigation, CyberNews also established a substantial lead, which leads to a legitimate third-party web statistics service utilized by the adversary to track down the phishing campaign, which helped their investigation to figure out the start date of the campaign, the number of affected users, and other useful details associated with this phishing.
Tamo Trabajando, translated as “we’re working.” is the real name of this Facebook Phishing Campaign is initiated through a Facebook message to the potential victim from their Facebook contact. According to the investigation of CyberNews, the message contains a seemingly enticing video link with a suggestive text that asks the victim, ‘Is that you?’ in German.
The Open Graph protocol of Facebook is leveraged to manipulate the fake video preview to include the recipient’s name in the message content. Now, if the recipient ends up clicking on this malicious link by finding it plausible, then the malicious script embedded beneath this link redirects to a fake Facebook phishing page, reflecting it to be a compromised legitimate website.
The website appears to be legitimate. However, a malicious XML file has been injected into its code.
But it is also equipped with a small script that triggers a redirect to a shortened URL, directing the victim to a malicious phishing page as the threat actors are using a legitimate website to host malicious redirect scripts, so it eventually makes the phishing attack more effective as it can be used to bypass the blacklists of Facebook.
The investigation of CyberNews suggested that the phishing page includes HTML content with Open Graph metadata and obfuscated images with Base64 encoding.
But the revelation of this investigation found that the author actually signed the malicious script translated from Spanish, the author’s signature means:
Developed by
BenderCrack.com
And the mentioned domain name in the signature has no active footprint over us, but a Facebook page discovered during the further investigation is more likely to be connected with the malicious script's creator.
The existence of the malicious script is found in the original phishing page that is used to harvest the user credentials and collect their location data.
But these malicious scripts are found to be hosted on the private server of the attacker.
And the involvement of legitimate third-party service-tracking code implanted in the phishing page is also discovered in this phishing campaign.
CyberNews were also able to access the dashboard of the attacker by obtaining the identifier to determine the scale of this phishing campaign.
Many details were surfed, such as the identity of the devices and browsers used by the victims of this phishing campaign as the access to the attacker's dashboard really helped the team at CyberNews gain a clear picture of the entire phishing campaign from the attacker's perspective. Moreover, over 480,000 users have ended up clicking this phishing link sent to them over the Facebook message. And it is also followed by other discoveries and correlated to other potentially dangerous activities planned by the same threat actors behind this phishing campaign.
Despite being equipped with robust security measures to prevent any types of malware and malicious links, this phishing campaign with enough sophistication can manage to bypass the security of Facebook to execute their malicious intent even though for a temporary period.
As of now, concerning the investigation findings, it was clear that a dubious phishing campaign named “Is that you” was specifically targeting the users of German to harvest their credentials. But was there any hidden agenda in the disguise of this mass abuse of breached Facebook accounts through spreading the campaign?
Right now, the threat actor's motive after the investigation is to redirect the targeted victims after harvesting their sensitive data to a malicious yet legitimate phishing website to embed with adware or malware.
Blacksar Inc. other campaigns of threat actors found to be connected with additional malicious websites and malware campaigns. Interestingly enough, while investigating through their dashboard, a fair amount of Spanish words were found throughout most of their codes, such as saliendopadentro, Desarrollado por, etc.
Other than that, there are enough proofs available to establish that threat actors are actually from Spanish speaking countries or maybe the Dominican Republic; among them, malicious Blacksar domains were registered from the Dominican Republic, which also strongly suggested the same.
LA PARITA, a Facebook profile, and its visitors surfed multiple times to be suspicious enough who were most likely to be based out in the Dominican Republic.
The entire investigation against this phishing campaign was recorded and sent to open source intelligence. The rest of the details to Computer Emergency Response Teams (CERTs) in Germany and the Dominican Republic.