The number of affected users has been growing exponentially at the rate of than a 100 entries per minute, says ThreatNix, a Nepal-based cybersecurity firm. Cybersecurity researchers say the ad phishing campaign has compromised accounts of more than half a million Facebook users across at least 50 countries by exploiting the pages of the open-source repository called GitHub.
The researchers first encountered the phishing campaign through a sponsored Facebook post that was offering 3GB mobile data from Nepal Telecom and redirecting it to a phishing site hosted on GitHub pages. The page that posted the ad displayed the profile picture and name of Nepal Telecom and was nearly an exact copy of the real page.
“We saw similar Facebook posts targeting Facebook users from Tunisia, Egypt, Philippines, Pakistan, Norway, and Malaysia, among others,” the firm said. According to the firm, the ad phishing campaign has been using localised Facebook posts and pages while spoofing legitimate entities and targeted ads for specific countries.
When users clicked the post, links would then be redirected to a static Github page website that contained a login panel for Facebook. “All these static GitHub pages forwarded the phished credentials to two endpoints one to a Firestore database and another to a domain owned by the phishing group,” the researchers said. “We discovered almost 500 GitHub repositories containing phishing pages that are a part of the same phishing campaign.”
Until the time of writing, Facebook or GitHub were yet to comment on the ThreatNix report. ThreatNix said that it was now working on dismantling the phishing infrastructure by working together with relevant authorities “as such we are withholding the information related to the domains until then”.
While Facebook routinely takes steps to ensure such phishing pages are not approved for ads, in the present instance, the scammers employed Bitly links which at the beginning may have pointed to a “benign page” and once the ad was approved, would have been modified to point to the phishing domain, the researchers explained in their note.
