Millions of Facebook Users’ Credentials Were Stolen via Authentic App Services

The phishing effort used Facebook and Messenger to deceive millions of consumers into visiting advertising pages and websites where personal account information was exposed. 

The phishing campaign used messages through messenger to entice users to open the link, thus the pop-up requested for account credentials, which unsuspecting consumers provided by filling out the phishing form with their login and password. The campaign operators used the hacked accounts to send more hacker messages to their friends, earning a lot of money through internet advertising fees.

The effort peaked in April-May 2022 but has been active since at least September 2021, as per PIXM, a New York-based AI-focused cybersecurity business. Since one of the identified phishing pages included a link to a publicly accessible traffic monitoring app (whos.amung.us) without authentication, PIXM was able to track down the threat actor and map the campaign. 

Over 405 different usernames were uncovered by PIXM, each of which was linked to a distinct phishing landing page. In 2022, one username, teamsan2val, got 6.3 million views, up 128 percent from 2021. All of these usernames had a total of 399,017,673 sessions. The phishers also informed an OWASP researcher who claimed they made roughly $150 for every thousand visitors from the United States. This equates to $59.85 million in total revenue.

Millions of Facebook Users’ Credentials Were Stolen via Authentic App Services