This recent phishing activity – ‘Is that you? Having been victimizing users from many various locations globally, initially targeting most from Germany, have been sending messages through Facebook that a video or photo of the victim has been captured. To view its content, they are being lured to different sites that include a compromised Facebook login page wherein unknowingly will capture their credentials and end to an advertisement website. The intended photo or video is nowhere to be viewed. This modus has been around since 2017 and was repurposed by many adversaries for various motives. More evidently is for their victim to get infected by either adware or malware for the initial stage of further attacks.
Digging more to the Facebook scheming campaign that was recently uncovered, cybersecurity experts working on the research confirmed that the phishing operation is still in progress and has already reached the United Kingdom (UK). According to the gathered intelligence, the UK’s affected victim almost reached the mark of 20,000 users.
By developing a more sophisticated code, the perpetrator could continue its phishing operation despite the high security imposed on the Facebook system.
Moreover, from tweaking this malicious source code that the researchers obtained from the operation, they could access an embedded third-party dashboard that the perpetrator is using to track the statistics of the infected users of the drive. The dashboard can show the daily number of infected users, including the operating system and the browser on the device that the victim used to open the redirection sites and its totality. Evidence on the code also leads the researcher to uncover other related domains linked to the same modus from the initial domain that it has been linked to – http://blacksar.in.
There is no news that the affected user’s credentials have been utilized for other malicious activity. However, a reliable concerned cybercitizen who interviewed the perpetrator behind the attack confirmed that the perpetrator is being paid 150 USD for every thousand users landed on the advertising website (hxxps://tdrco2.com/?). Based on the dashboard, the perpetrator profits on this whole operation are now approximate 75000 USD. But other motives have not yet been unravelled.
The research and evidence have already been channelled to relevant authorities such as Facebook and CERT in the most affected geo-locations, and the perpetrator’s determined target country – the Dominican Republic. Compromised redirecting websites have already been notified to take action to be able to halt the operation or place a mitigation plan to avoid further damage from the perpetrator. The public is again warned of the current scheme and provided awareness drive to avoid being victimized. This includes instruction and recommendations to properly secure their credentials, such as creating a strong password and enabling multi-factor authentication. More importantly, to be constantly vigilant and scrutinize everything that is being received from the internet.
