A serious phishing marketing campaign has been uncovered which will have earned its operators thousands and thousands of {dollars} by means of affiliate promoting commissions.
Found by AI-focused cybersecurity agency PIXM in September 2021, earlier than its peak in April and Could 2022, the marketing campaign leveraged Fb’s Messenger service, reputable URL shortener companies, and internet pages with adverts and surveys.
The premise is straightforward: the crooks created quite a few phishing websites the place victims can be lured into freely giving their Fb credentials. After that, two issues would occur. One – they’d be redirected to a web site with advertisements, surveys, and different technique of income era for the operators, and two – the victims’ Fb accounts (opens in new tab) can be used to additional unfold the marketing campaign, by way of Messenger.
Circumventing Fb’s protections
Messenger is normally comparatively good at recognizing and killing phishing hyperlinks, however the crooks managed to bypass (opens in new tab) the protection mechanism with reputable URL shortening companies corresponding to litch.me, well-known.co, amaze.co, and funnel-preview.com, the researchers discovered.
All the marketing campaign, it will appear, was automated, with little or no interference from the marketing campaign’s masterminds.
“A consumer’s account can be compromised and, in a possible automated style, the risk actor would log in to that account and ship out the hyperlink to the consumer’s pals by way of Fb Messenger,” PIXM stated.
Digging deeper, PIXM discovered one of many phishing pages internet hosting a hyperlink to a public, open, visitors monitoring app. By way of the app, they found that in 2021, 2.7 million customers visited one of many phishing websites, spiking as much as 8.5 million this yr.
A complete of 405 distinctive usernames had been used as marketing campaign identifiers, which might be not the overall variety of accounts used for the marketing campaign.
PIXM additionally discovered a typical code snippet on the entire phishing pages, which referenced a web site seized, and shut down, by legislation enforcement businesses. Allegedly, it belongs to a Colombian man, one Rafael Dorado, towards whom an investigation is presently ongoing.
Particulars on the earnings are scarce, however the researchers are saying they’re “within the thousands and thousands”.
By way of: BleepingComputer (opens in new tab)
