Phishers try to lure 5K Facebook advertisers with fake business pages
A large-scale phishing campaign targeted over 5,000 businesses that actively advertise on Facebook. The attack involved tens of thousands of emails designed to steal credentials and data, impacting organizations across the US, Europe, Canada, and Australia. Security researchers at Check Point observed approximately 40,000 phishing emails hitting their customer base alone, originating from the legitimate facebookmail.com domain. One specific company was bombarded with over 4,200 malicious messages.
The attackers created fake Facebook Business pages that impersonated non-existent businesses. They then abused the Business invitation feature to send phishing emails designed to closely resemble authentic notifications from Meta. This tactic increased the credibility of the emails by making them appear to originate directly from Meta’s domain, which helped bypass security filters and increase the likelihood of users clicking the malicious links. The emails often employed urgent language, such as account verification required, to further entice recipients to click through to phishing websites designed to harvest credentials and sensitive information.
The targeted industries included automotive, education, real estate, hospitality, and finance. While most of the emails were directed at small and mid-sized businesses, the campaign also managed to reach a smaller number of large, well-known companies. According to Check Point’s researchers, these sectors are particularly vulnerable due to their reliance on Meta platforms for customer engagement, making employees more accustomed to receiving genuine Meta Business notifications and therefore more likely to trust similar-looking malicious messages.
Check Point’s research team emphasized that this campaign exemplifies a rising trend where cybercriminals are exploiting legitimate services to gain trust and circumvent security measures. The use of a legitimate sender domain substantially elevates the danger posed by these phishing attempts, making them significantly more potent than ordinary spam despite the large volume of emails sent. Security teams should be aware of this trend, look for the telltale signs of malicious invitations, and reinforce employee education on identifying and reporting suspicious emails, even when they appear to originate from trusted sources.
To read the complete article see: The Register