Facebook phishing campaign steals IDs and cash

A phishing attack targeting Facebook users may have already stolen hundreds of millions of passwords and $59 million.

The effort was identified by security analysts at phishing protection firm Pixm in late 2021, but has already proved effective

One of 400 landing pages Pixm identified garnered 2.7 million visits in 2021 and 8.5 million in 2022.

This phishing effort isn't unique. Like many social media attacks, a hacked account sends a link through DM. This link links, frequently via malvertising sites, to a phoney Facebook login page. 

This campaign uses app deployment providers like glitch.me, famous.co, and amaze.co to start a redirect chain to circumvent Facebook's phishing detection mechanisms.

According to an OWASP researcher, the attacker earned $150 per thousand US Facebook views in late 2021. Pixm feels the OWASP source exaggerated the campaign's profits.