Huge Facebook Phishing Operation Targets Millions

Image of a facebook phishing campaign investigation meme.
PIXM only found the Facebook phishing attack now.

Since September 2021, major Facebook phishing operations have been reported. That said, a New York-based cybersecurity firm, PIXM, has just reported that the scope of the issues is much larger than anybody believed. In total, an estimated 8.5 million users have fallen victim to hacks up to June 2022.

From these recent discoveries and disclosures, we can deduct 3 things about the malicious attacks going on. These attacks are:

  1. Software-based 
  2. Exponentially growing
  3. Targeting vulnerable populations

The malice behind the action is evident. In fact, the malware was hacking personal accounts. Then, it mass sent messages to the users’ Facebook friends. Additionally, this Facebook phishing operation tries to hide that any messages were sent. That is also not the case with other phishing scandals.

This created an exponentially growing spiral of phishing messages. These would compromise the victim’s Facebook account. Then, this account helps attack more people. Additionally, users usually have a reputation with their Facebook friends. As a result, Facebook phishing is very dangerous.

Finally, the main targets for Facebook phishing attacks are those who are unfamiliar with phishing in general. In most cases, the scam messages focused on promotions and items that interest the elderly and underprivileged.

Phishing Campaigns Focusing on Facebook and Messenger

According to PIXM, the phishing campaign that affected up to 8.5 million users started early in 2021. It was also focusing exclusively on Facebook Messenger. Facebook phishing relied on users not sharing the phishing instances publicly. As a result, many did not recognize these messages as a direct attack. People were unaware of the dangers.

Additionally, the operation used completely legitimate services that generate URLs such as, Famous, and Amaze. As a result, Facebook could not recognize these links as dangerous. 

The metadata behind the URL didn’t have anything malicious. It also didn’t use a recognizable system of naming the web pages that platforms and users might recognize. Additionally, these Facebook phishing messages also spread exclusively through users. As a result, no external or internal factors indicated a large phishing operation.

The entity responsible for this Facebook phishing operation created multiple landing pages. Additionally, 405 unique Facebook profiles disseminated these fraudulent pages. Each profile only had to popularize only one page. This also prevented discovery.

Image of a fishing rod over a sea in the sunset.
The hacker took a very laid back and patient approach with the infection.

Millions Affected by Phishing Sites

Phishing is really a dangerous cybersecurity issue. Generally, users fall for a seemingly trustworthy message. Victims often recognize some addresses and trust them, so they fail to detect the scam. This Messenger scam also used frequently shared, inconspicuous links. As a result, it managed to reach exponential growth.

Primarily, the campaign operators made unique accounts. Then, they kept them parked for a while, without sending messages. During that time, the accounts cultivated organic growth through Facebook groups and pages. Right now, we can obviously see that these were sock-puppet accounts. However, they were trustworthy when they were created.

Once the campaign started, the accounts sent messages to all of their friends. After that, they only remained partially active. Additionally, each account only sent one problematic message. As a result, they were not recognized as participants in the campaign.

Rather, they were simply one of the victims in the chain. This also removed the reason from their contacts to report their account. In turn, this did not draw any unwanted attention to the campaign. Although some were eventually exposed, the Facebook phishing campaign only became fully apparent in June this year.

This left the malicious phishing campaign to operate freely for more than a year. In turn, it hit a truly unprecedented number of victims.

Phishing Made Millions of Dollars

During the length of the Facebook phishing campaigns, the perpetrators managed to gain millions of dollars. This revenue came from various advertising pages, survey forms, and promotional pages. For every click on the redirect page, the threat actors received a set fee.

Some links even reached as many as 6 million views. Likely, the campaign organizer made over $5 million during the website’s 18-month active period.

The scam worked with the Facebook message offering prizes and coupons for places like Walmart and Amazon. It also used schemes where the victim can allegedly make money by finishing surveys.

Through these messages, PIXM identified a man in Colombia named Rafael Dorado. Officially, this is a legitimate development company that offers automation services such as bots. However, unknown entities have seized their domain, and it has been inactive since. Mr. Dorado was not available for comment. Currently, Colombian police and Interpol are also investigating him.

Hopefully, this newly gathered information will help stop this campaign. Additionally, we hope both Facebook and URL providers reevaluate their cybersecurity policy after this. This way, they will be able to prevent these attacks in the future.

Image of the Instagram app preview in the Apple Store.
While the two attacks are not connected, Instagram has also witnessed phishing attacks.

Instagram Is Not Safe Either

Even Instagram, under the META umbrella, has also been experiencing a steep rise in phishing attacks. However, unlike the Facebook phishing scams, these attacks are targeting businesses.

One of the most popular types of attack was sending out mass emails to companies. These emails wrongfully accused a business that their account included copyrighted materials. After that, the user would need to click the link to solve the problem.

Once clicked, the Instagram user would be locked out of their account. After that, the cybercriminal uses this account as ransomware while waiting for payment. These attacks have also been devastating for businesses that rely on Instagram. They would need to wait for the company to investigate and return their accounts.

Unfortunately, email providers did not recognize these fraudulent addresses and did not flag them. The addresses also did not include Meta, Facebook, or Instagram’s official emails. Rather, this scam relies on the influencer’s distress. In their panic, they will likely click on any link to salvage their supposedly blocked account.  Thankfully, regular scrutiny is enough to notice these phishing attempts. 

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top