Unmasking a Cyber Attack that Targets Meta Business Accounts

					<div>
				<div>
		<div>
							<div>
			<div>
						<p>By Dylan Duncan</p><p>The majority of businesses today utilize social media platforms for advertising products, sharing updates, and customer engagements. But what happens when a business account falls into the hands of a threat actor? This report explores the inner workings of an advanced phishing campaign capable of bypassing multi-factor authentication (MFA) to target <a href="https://business.facebook.com/" rel="noreferrer" target="_blank">Meta</a> business accounts. Cofense has discovered a comprehensive toolkit enabling threat actors to create malicious links, verify if they are active threats, generate emails, and other additional tasks. As it stands, this campaign proficiently crafts <a href="https://cofense.com/knowledge-center-hub/real-phishing-email-examples/" rel="noreferrer" target="_blank">phishing emails</a> directed at users in 19 countries and across various languages. These emails, appearing to originate from Meta, claim that the account violated a policy or infringed on a copyright. Should this campaign succeed, followers of the compromised Facebook business account are likely to be at risk of additional, potentially targeted, attacks using unexpected attack vectors, such as malicious ad campaigns.&nbsp;</p><h3>Key Points</h3><ul><li><strong>Targets Meta Business Accounts </strong><b>– </b>This report is a breakdown of a very complex phishing campaign that spoofs Meta using violations of standards and copyright infringement to steal business accounts.&nbsp;</li></ul><ul><li><strong>Efficient Targeting of 19 Countries </strong><b>– </b>The tools uncovered in this campaign can generate emails that target 19 different countries with suitable languages.&nbsp;&nbsp;</li></ul><ul><li><strong>Successfully Reaches Inboxes </strong><b>–</b> Cofense has identified a high number of these emails in enterprise environments that are protected by secure email gateways (SEGs).&nbsp;</li></ul><ul><li><strong>Uncover Threat Actor Infrastructure</strong><b> – </b>Cofense discovered access to tools used by the threat actors sending emails for this campaign. The infrastructure includes tools for generating phishing emails, creating Netlify App links, checking if links are live, a large IOC list, and even information regarding targets and financial profits. &nbsp;<br />&nbsp;</li><li><strong>Multi-Factor Authentication Bypass</strong><b> –</b> Threat actors using this phishing kit want full access to the Meta Business Accounts; in this campaign, they have included an additional step to bypass MFA.<br />&nbsp;</li><li><strong>Meta is the 2nd Most Spoofed Brand in Credential Phishing</strong><b> – </b>Based on credential phishing emails that Cofense has seen in 2024, Meta ranks second amongst the top spoofed brands. This is still significantly lower than Microsoft, the top brand spoofed in Credential Phishing.</li></ul><h2> Your Advertising Content Violated Policies&nbsp;</h2><p>The campaign starts with a phishing email like the one in Figure 1 below. Each email spoofs a Meta entity, in this case, it’s the Facebook Ads Team regarding a policy violation that requests that the user verify their information. At first glance, the sender’s address appears to be from the Facebook Ads Team, but there are still clear signs that this is phishing. A few examples would be grammatical errors like the bold “<strong>WHAT I CAN DO?</strong>”, the sender’s address, and of course a closer look at the link embedded into the “<strong>Verify</strong>” button that the email wants the user to click. By hovering the verify button, a user can quickly determine the following link to be malicious:&nbsp;</p><p><strong>“hxxps://restriction-case-278191641-545214[.]netlify[.]app/form[.]html”&nbsp;</strong></p><p><img alt="Figure 1: Phishing email that reached a user’s inbox. " height="847" src="https://cofense.com/wp-content/uploads/2024/05/Figure-1-Phishing-Email.png" width="1024" /></p><p><em>Figure 1: Phishing email that reached a user’s inbox.&nbsp;</em></p><p>Every email exhibits slight variations, yet they all adhere to the same theme. Table 1 presented below offers only a limited selection of subjects identified by Cofense for this campaign; however, numerous others exist.&nbsp;</p><p>Table 1: Sample of subjects used in phishing emails spoofing Meta, specific to this campaign.&nbsp;</p>						</div>
			</div>
				</div>
	</div>
						</div>
	
			
					<div>
				<div>
		<div>
							<div>
			<div>
		<div>
Meta Spoofing Phishing Email Subjects
Your advertising content has violated our Policies
Advertising accounts will be deleted due to policy violations
Account disabled due to policy violations
Urgent Action Required: Notice of Deletion of Your Facebook Page
Your ad account is at risk of permanent restriction
					<div>
				<div>
		<div>
							<div>
			<div>
						<p>The campaign starts with an email and ends with the account being compromised, but there are a few notable steps throughout the infection chain before the target business account is fully compromised. Each step follows the same lure to draw victims in and collect sensitive information related to the account. Images of the phishing pages can be seen in Figure 2 below.&nbsp;</p><ul><li><strong>Email Link</strong> – The phishing emails start with a link that is either hyperlinked to text or embedded into a clickable image like the “Verify” button seen earlier. These links are all hosted on the domains Netlify[.]app or Vercel[.]app, which are web hosting services that the threat actors are abusing to host their phishing sites. In some cases, the campaign incorporates a t[.]co, X’s link shortener, into the infection chain that just acts as an additional redirect.&nbsp;<br />&nbsp;</li><li><strong>Step 1: Landing Page</strong> – Following the email, users are met with a landing page that serves no functional purpose other than to manipulate users into believing this is a legitimate process to recover their account.&nbsp;<br />&nbsp;</li><li><strong>Step 2: Account Information</strong> – The second step harvests Meta account information such as business email, page name, page owner, email address, phone number, information related to financial information, and recent travel arrangements, and an area to submit an appeal. Some of this information may seem unnecessary, but in the case of the threat actors successfully gaining access to an account, this could help them disrupt Meta’s account recovery process.&nbsp;<br />&nbsp;</li><li><strong>Step 3: Account Password</strong> – The third step is pretty straightforward, it just requests that the user enter their password. Stolen information in this campaign is exfiltrated to various locations set up by the threat actors, one example is that credentials have been posted to a Telegram bot.&nbsp;<br />&nbsp;</li><li><strong>MFA Bypass Step</strong> – This step is what makes this campaign such a high-level and potentially successful threat. It’s relatively simple at first glance, it just requests that the user inputs their 6-digit or 8-digit code from their authenticator app. Once entered, there is a loading process that essentially waits long enough for a new code to be generated and then requests it again. This additional step is likely used to ensure that access to the account has successfully been stolen.&nbsp;</li></ul><p><img alt="Figure 2: The landing page, the first page that users will see after interacting with the phishing URL. " height="930" src="https://cofense.com/wp-content/uploads/2024/05/Figure-2-Landing-Page.png" width="1846" /></p><p><em>Figure 2: The landing page, the first page that users will see after interacting with the phishing URL.&nbsp;</em></p><p><img alt="Figure 3: Breakdown of the full phishing infection chain. " height="1920" src="https://cofense.com/wp-content/uploads/2024/05/Figure-3-Infection-Chain.jpg" width="1742" /></p><p><em>Figure 3: Breakdown of the full phishing infection chain.&nbsp;</em></p><h2>A Deep Analysis of Threat Actor Infrastructure&nbsp;</h2><p>During an analysis, a Cofense threat analyst identified open access to tooling used for this campaign hosted on bot1[.]sieulike[.]com. The site contains several redirects that have been translated from Vietnamese to English. These redirects go to areas the threat actors frequently visit like Netlify[.]app to create new links, Microsoft email login for Hotmail, and two spreadsheets; one for profits and costs in addition to one containing data on countries they target. Most of these are locked behind logins and require access to be granted by the threat actors.&nbsp;</p><p>In particular, the Profit / cost spreadsheet requires a login to be able to access the spreadsheet. The fact that there is a spreadsheet specifically for costs and profits implies that the threat actors are seeking financial gain. While that is obvious for most campaigns, for this one, in particular, it certainly proves that the threat actors will employ an additional attack vector once the business ad account has been compromised.&nbsp;</p><p><img alt="Figure 4: Threat actor resources, infrastructure, and tools used in this campaign. " height="316" src="https://cofense.com/wp-content/uploads/2024/05/Figure-4-Tool-List.png" width="411" /></p><p><em>Figure 4: Threat actor resources, infrastructure, and tools used in this campaign.&nbsp;</em></p><p>The site also hosts several tools that show how efficient and advanced these threat actors are. These tools vary from simply converting input text into a CSV to generating complete phishing emails. A breakdown of some of the more notable tools that are listed in Figure 4:&nbsp;</p><ul><li><strong>Check Links (Figures 5 and 6)</strong> – All of the indicators of compromise you could ever want are conveniently included in this tool. Not only does it contain a long list of phishing URLs that are actively being used, but it also allows the threat actors to automatically check if the links are still live or have been taken down.&nbsp;&nbsp;<br />&nbsp;</li><li><strong>TEXT emails to countries (Figure 7)</strong> – This is a unique tool used to automatically generate phishing emails based on criteria entered by the threat actors. The threat actors select one of the 19 different countries they target, the theme they want the email to be (policy violation or copywriting infringement), the phishing link they want to use, and then it generates a text version of the email and the headers.&nbsp;</li></ul><p><img alt="Figure 5: Threat actor tool to input malicious links to check if they’re active. " height="567" src="https://cofense.com/wp-content/uploads/2024/05/Figure-5-Link-Checker_1.png" width="687" /></p><p><em>Figure 5: Threat actor tool to input malicious links to check if they’re active.&nbsp;</em></p><p><img alt="Figure 6: Results from the URL input showing if active or dead. " height="430" src="https://cofense.com/wp-content/uploads/2024/05/Figure-6-Link-Checker_2.png" width="1188" /></p><p><em>Figure 6: Results from the URL input showing if active or dead.&nbsp;</em></p><p><img alt="Figure 7: Threat actor tool to generate phishing emails for this campaign. " height="1917" src="https://cofense.com/wp-content/uploads/2024/05/Figure-7-Email-Generator.jpg" width="1074" /></p><p><em>Figure 7: Threat actor tool to generate phishing emails for this campaign.&nbsp;</em></p><h2>Meta Spoofing in the Threat Landscape</h2><p>Cofense reports on a significant amount of credential phishing emails every day that were uncovered inside of an enterprise user’s inbox. Of those emails, Meta is the second most spoofed brand seen in the first quarter of 2024. Out of the campaigns spoofing Meta, emails from this campaign make up a good portion of the volume. Figure 8 below shows the top 5 brands spoofed in Credential Phishing campaigns seen by Cofense in Q1 of this year. Meta follows behind Microsoft, which is well-known for being spoofed in a high percentage of phishing emails due to the popular use of Microsoft email services.&nbsp;</p><p><img alt="Figure 8: Top brands spoofed in Credential Phishing campaigns seen by Cofense in Q1 2024. " height="505" src="https://cofense.com/wp-content/uploads/2024/05/Figure-8-Cofense-Top-Brands-Spoofed.png" width="865" /></p><p><em>Figure 8: Top brands spoofed in Credential Phishing campaigns seen by Cofense in Q1 2024.&nbsp;</em></p>						</div>
			</div>
				</div>
	</div>
						</div>
	
						</div>
	<p>The post <a href="https://cofense.com/blog/cyber-attack-that-targets-meta-business-accounts/" rel="noreferrer" target="_blank">Unmasking a Cyber Attack that Targets Meta Business Accounts</a> appeared first on <a href="https://cofense.com" rel="noreferrer" target="_blank">Cofense</a>.</p>

Article Link: Unmasking a Cyber Attack that Targets Meta Business Accounts