CTM360 Discovers Increased Incidence of Phishing Attacks Aimed at Meta Business Users

A new global phishing threat identified as “Meta Mirage” has emerged, specifically targeting organizations that utilize Meta’s Business Suite. This campaign primarily focuses on hijacking high-value accounts associated with advertising and official brand pages.

Cybersecurity experts have discovered that the perpetrators of the Meta Mirage attack impersonate legitimate communications from Meta. This deception is designed to trick users into divulging sensitive information, such as passwords and one-time security codes (OTPs).

The scale of this operation is particularly concerning. Current findings indicate that over 14,000 malicious URLs have been identified, with approximately 78% of these URLs remaining unblocked by web browsers at the time of reporting.

Attackers are employing sophisticated tactics by hosting fraudulent websites on trusted cloud platforms like GitHub, Firebase, and Vercel. This methodology complicates efforts to recognize the scams. Such tactics are consistent with recent reports that emphasize how cybercriminals exploit reputable cloud services to compromise applications and avoid detection.

The attackers utilize fake alerts regarding policy violations, account suspensions, or urgent verification requests. These messages are disseminated through email and direct messages, replicating the appearance of authoritative Meta communications. The urgency conveyed in these messages is designed to prompt quick actions from users, mirroring strategies seen in recent phishing campaigns leveraging Google-hosted pages.

Two primary methods are employed by the attackers:

1. Credential Theft: Targets are led to enter passwords and OTPs into convincingly designed counterfeit websites. Attackers also provoke false error messages, compelling users to re-enter their information, thereby ensuring the collection of valid credentials.

2. Cookie Theft: In addition to login details, the attackers harvest browser cookies. This technique enables continued access to compromised accounts, circumventing the need for passwords.

The repercussions of compromised accounts extend beyond individual businesses, as these accounts are frequently exploited to conduct malicious advertising initiatives. This escalation in fraudulent activities is akin to the tactics identified in the PlayPraetor malware campaign, which leveraged social media accounts for unauthorized ad distribution.

Research from CTM360 further outlines a systematic approach employed by the attackers to amplify the effectiveness of their scheme. Victims receive initially benign notifications that progressively intensify in urgency and severity. Early communications might refer to generic policy infringements, while later messages threaten immediate account suspensions or permanent deletions. This gradual escalation creates a sense of panic, prompting users to respond quickly without sufficient verification of the messages’ legitimacy.

To safeguard against this pervasive threat, specific recommendations are provided:

– Utilize official devices exclusively for managing business social media accounts.
– Maintain distinct email addresses for business communications.
– Enable Two-Factor Authentication (2FA) for added security.
– Regularly evaluate account security settings and monitor active sessions.
– Provide training to staff on recognizing and reporting suspicious communications.

This extensive phishing campaign reinforces the critical need for vigilance and proactive security measures to secure valuable online assets effectively.