Cybercriminals are Abusing Facebook Ads in a Large-Scale Phishing Scam


A recent large-scale campaign exploiting Facebook ads was spotted by analysts from security company ThreatNix. Security actors use Facebook advertising to funnel users to Github accounts that host phishing sites used to steal the login credentials of victims.

More than 615,000 users in different countries, including Egypt, the Philippines, Pakistan and Nepal, were targeted by the initiative.

Phishing sites that impersonate real businesses are the landing pages. Once the victims have given the passwords, via a Firestore database and a domain hosted on GoDaddy, they will be forwarded to the perpetrators.

The campaign seems to be well coordinated, threatening actors using localised Facebook posts and accounts that resemble legitimate organisations and individual countries’ target advertising.

To escape detection, the scammers used an intriguing trick, the shortened URL used, which initially leads to a benign page that is changed after the advertisements have been accepted.

“While Facebook takes steps to ensure that such phishing pages are not approved for advertisements, in this case the scammers were using Bitly links that initially had to point to a benign page and were modified to point to the phishing domain once the ad was approved.”

Attackers behind this effort have used at least 500 phishing sites containing Github servers, some of which are now inactive. The first phishing page was created 5 months ago on GitHub.

We were able to get access to some phishing credentials after some searching. There seem to be more than 615,000+ entries at the time of writing this post and the list is rising at a fast rate of more than 100 entries per minute.

In order to take down the phishing infrastructure used in this operation, specialists are collaborating with the appropriate authorities.

In October, Facebook detailed an ad-fraud cyberattack that has been going on since 2016, to steal Facebook passwords and browser cookies, crooks use malware tracked as SilentFade (short for “Silently running Facebook Ads with Exploits”).

The giant social network disclosed that malware emerged in China and allowed hackers to siphon $4 million from the advertisement accounts of users.

Initially, threat actors hacked Facebook profiles and used them to steal cookies from browsers and carry out harmful operations, including malicious advertisement promotion.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.