Beyond the Chatbot: Meta Phishing with Fake Live Support

In a previous Trustwave SpiderLabs’ blog, we explored how cybercriminals exploit Facebook Messenger chatbots to execute social engineering attacks, deceiving users into falling victim to scams and phishing schemes. These attacks often rely on the perceived legitimacy of automated systems to manipulate users into sharing sensitive information.

Building on that discussion, this blog delves into a more sophisticated phishing strategy targeting Meta/Facebook users. This time, the attackers utilize fake live support chat services, creating an illusion of real-time interaction with legitimate customer support representatives. By mimicking authentic communication channels, they aim to build trust and lower users' defenses, making it easier to extract personal information. We’ll break down how these phishing schemes operate, the tactics used to convince users of their authenticity, and how you can protect yourself from falling victim to these threats.

To illustrate this tactic, we’ll analyze a phishing email sample that emerged in early December 2024, which we highlighted in an alert on our SpiderLabs X account. This email serves as a key entry point for the attack, setting the stage for unsuspecting users to engage with the fraudulent live support chat. The phishing email (Figure 1) claims unusual API activity has been detected on the victim’s Facebook account, resulting in the account being “locked”. To resolve the issue, the email offers the recipient an opportunity to submit an appeal via a provided link.

Figure 1. A fake Facebook email with account restriction lure and Salesforce domains.

The link included in the phishing email (Figure 1) is disguised under a Salesforce-owned domain,salesforce-sites[.]com, lending an air of legitimacy to the communication. However, this link functions merely as a redirector, seamlessly funneling unsuspecting users to the actual phishing landing page. Upon reaching the landing page (Figure 2), victims are presented with a Cloudflare CAPTCHA check, further enhancing the appearance of authenticity and security while concealing the malicious intent behind the site.

Figure 2. Landing page with Cloudflare CAPTCHA implementation.

After successfully passing the CAPTCHA test, we are directed to a landing page, hxxps://account[.]metasystemaccount[.]com (Figure 3.1), which is a newly registered domain designed to mimic Meta’s account overview interface. This fraudulent page opens a prompt asking for the user’s email address plus first and last name as a prerequisite to initiating the purported appeal ticket process.

Figure 3.1. Pop-up form for entering customer name and email address after clicking the “Request Review” button.

In a more recent iteration of this phishing scheme (Figure 3.2), the attackers have refined the landing page’s behavior by replacing the original pop-up form with an inline form embedded directly on the page with the addition of a phone number textbox.

Figure 3.2. Updated landing page that now shows an inline display of the pop-up form from Figure 3.1.

Following the steps illustrated in Figures 3.1 and 3.2, we encountered this chat box interface, as shown in Figure 4.1. Here, an automated message informed us that a customer support representative will soon assist us.

Figure 4.1. Initial chat box prompt after clicking “Continue” from the form in Figures 3.1 and 3.2.

In our initial test (Figure 4.1), we initiated the chat using a dummy email address. After sending a few messages, we received a response from a representative identifying as "Joseph Turner", stating that the provided dummy email was not associated with any Facebook account —possibly indicating some form of validation being performed on their end, as shown in Figure 4.2 below.

Figure 4.2. Possible email validation response after using dummy email from Figure 4.1.

Additionally, the page features a right-hand side panel containing step-by-step instructions, as shown in Figure 4.3 below, for setting up Facebook’s two-factor authentication (2FA), with a request to enter a setup key, further attempting to gain access to our account security details.

Figure 4.3. The step-by-step Facebook 2FA setup instructions provided on the phishing landing page.

In a separate session, we initiated the chat using a different name and email address. The same representative, "Joseph Turner", responded and requested that we provide a screenshot of a specific page within Facebook as a form of validation, as shown in Figure 4.4 below.

Figure 4.4. The chat support representative asked the victim to validate the Facebook profile by submitting a screenshot of their Facebook business settings page.

After pretending to be in distress over our inability to access the account, the chat box, through "Joseph Turner", escalated the conversation by requesting that we provide our account password as part of the troubleshooting process as, shown in Figure 4.5 below. It's important to note that legitimate support channels typically remind users never to share their passwords, as doing so could compromise account security.

Figure 4.5. The chat box prompts the victim to enter their account password and shows a loading animation while the phished data is being sent to threat actors.

During these chat box sessions, we have observed constant POST requests from these two URLs, one of which denotes the use of a Telegram API, which might be the mode of communication the threat actors use to interact with the chat box:

• hxxps://account[.]metasystem*[.]com/check_user_page[.]php
• hxxps://account[.]metasystem*[.]com/telegram_api[.]php

We also discovered a link that seems to display the information harvested from both the chat box form and the side panels (Figure 5), further confirming the attackers' collection of sensitive user data during the interaction.

Information collected:

• Password
• OTP
• Status
• Page name
• Full URL

Figure 5. The page shows harvested information such as username, password, and OTP.

Salesforce Platform Abuse

The threat actor behind this campaign is leveraging Salesforce email services to send phishing messages targeting Meta users. These emails are sent from legitimate Salesforce domains (@*.salesforce.com), enhancing their ability to bypass detection filters and appear authentic to recipients.

To further illustrate the scope of this phishing campaign, we have compiled a table showcasing the most common email subject lines observed during our investigation. These subject lines are carefully crafted to trigger urgency or concern, increasing the likelihood that recipients will engage with the malicious content. By using variations of these subjects, the attackers can cast a wide net, attempting to deceive as many Meta users as possible.

Figure 6. Example subject lines of phishing emails from this campaign.

This is not the first instance of Salesforce being exploited in phishing campaigns. Last year, a zero-day vulnerability in Salesforce CRM's 'Email-to-Case' feature allowed attackers to send phishing emails from addresses formatted as *@*.case.salesforce.com, as reported by Guardio.

In this latest wave of campaigns, however, the sender format has shifted to *@*.chatter.salesforce.com, as shown in Figure 7. This change suggests that the attackers are now leveraging Salesforce Chatter, a collaboration tool embedded within Salesforce’s user interface that facilitates communication and file sharing among users.

Figure 7. Email headers of the phishing sample coming from Salesforce.

As phishing tactics continue to evolve, it’s crucial for users to remain vigilant against the ever-growing sophistication of these attacks. The shift from automated chatbots to fake live support services, combined with the exploitation of trusted platforms such as Salesforce and Cloudflare highlights the increasing complexity of social engineering campaigns. To protect yourself, always verify the authenticity of unexpected communications, avoid clicking on suspicious links, and refrain from sharing sensitive information through unsecured channels. By staying informed and cautious, you can better defend yourself against these evolving threats.

IoCs

• hxxps://platform-drive-4163[.]my[.]salesforce-sites[.]com/mera
• hxxps://account[.]metasystemaccount[.]com/
• hxxps://account[.]metasystemaccount[.]com/messages[.]php
• hxxps://account[.]metasystemaccount[.]com/admin_info[.]php
• hxxps://account[.]metasystemhelp[.]com/
• hxxps://account[.]metasystemhelp[.]com/messages[.]php
• hxxps://account[.]metasystemhelp[.]com/admin_info[.]php
• POST: hxxps://account[.]metasystemaccount[.]com/check_user_page[.]php
• POST: hxxps://account[.]metasystemaccount[.]com/telegram_api[.]PHP
• POST: hxxps://account[.]metasystemhelp[.]com/check_user_page[.]PHP
• POST: hxxps://account[.]metasystemhelp[.]com/telegram_api[.]php