CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Meta-Phish: Facebook Infrastructure Used in Phishing Attack Chain

Meta has two of the largest social media platforms today, Facebook and Instagram. These platforms became the modern gateway for people not just to socialize and eavesdrop on the lives of famous personalities, but more importantly, to stay connected with their friends and loved ones. The sites also became effective channels for organizations to advertise and disseminate information. However, their global presence has made these social media sites an attractive avenue for cybercriminals to perform their nefarious deeds.

Trustwave SpiderLabs previously released two blogs about Facebook and Instagram phishing. The common denominator between these two articles is that we discuss the use of phony notifications which lure victims into thinking that they have allegedly committed a violation of terms. The victim must then make an appeal through a crafted phishing page to avoid losing access to their account. This social engineering tactic is not new, but cybercriminals are constantly innovating, creating ever more sophisticated ways to evade security controls and filters.

Recently, we came across another example that operates in the same vein, which we have dubbed Meta-Phish. A successful Meta-Phish attack could result in the loss of Personally Identifiable Information (PII), login credentials, and Facebook profile link.

19406_picture1yu

Figure 1: Phishing email message

Instead of the usual phishing link to an external landing page, this mail sample is crafted with a link that points to an actual Facebook post. The content of this Facebook post appears legitimate because it uses a dummy ‘Page Support’ profile with the Facebook logo as its display picture. At first glance, the page looks legitimate, but the link provided in this post leads to an external domain.

19407_picture2yu

Figure 2: Dummy ’Page Support’ profile page

The link in the post leads to this main phishing URL, hxxps://meta[.]forbusinessuser[.]xyz/main[.]php, which mimics Facebook’s copyright appeal page.

19408_picture3yu

Figure 3: Fake Facebook Copyright Appeal page

Upon clicking the send button, any information entered in the form by unsuspecting victims will be sent to the cybercriminals, along with the victim’s client IP and geolocation information. Let’s look at the source code and see how this attack unfolds.

Inspecting the source code of main[.]php reveals a link to a JavaScript file which contains the function that will retrieve any information provided to its form when triggered.

19409_picture4yu

Figure 4: main[.]php source code

19410_picture5yu

Figure 5: index[.]js source code: Form value retrieval

Then, all the information retrieved will be sent to a Telegram account via a Telegram Bot API.

19391_picture6yu

Figure 6: index[.]js source code: Telegram bot API call

All queries to this Telegram Bot API must be served over HTTPS and needs to be presented in this form: https://api.telegram[.]org/bot<token>/METHOD_NAME. From here, we can identify the unique token of the bot used in this attack: bot5213906361:AAEAYFxbgjU7aBqrUm3ufkkt8UybZP_Lnbo.

Index.js also uses the external site ipinfo.io to harvest the victim’s client IP address and geolocation information. This information is also sent over to the cybercriminals via the Telegram Bot API.

19392_picture7yu

Figure 7: Index[.]js source code: client IP and geolocation harvest

19393_picture8yu

Figure 8: Client data harvested

Finally, the user is redirected to the next page checkpoint[.]php.

19394_picture9yu

Figure 9: Index[.]js source code

In this redirection phishing page hosted on the URL, a fake One Time Password (OTP) check will take place.

Based on the code, any value that the user tries to input will only lead to an error message. However, there are several functions for the timer being set for the user to input the OTP required.

19395_picture10yu

Figure 10: Phishing page with OTP request

Based on the code, any value that the user tries to input will only lead to an error message. However, there are several functions for the timer being set for the user to input the OTP required.

19396_picture11yu

Figure 11: checkpoint[.]php source code

If the user tries to click the option ‘Need another way to authenticate?’, a message box will appear and provide some steps on what to do next. However, if the user tries to click ‘Get Code’, it will redirect to a legitimate Facebook site that requires a log-in.

19397_picture12yu

Figure 12: ‘Need another way to authenticate page

The source code of checkpoint[.]php also reveals the use of Google Analytics with the specific ID: UA-177207786-1.

19398_picture13yu

Figure 13: checkpoint[.]php source code

Google Analytics is a web analytics service that tracks and reports website traffic from the Google Marketing Platform brand.

The property ID is the identifier associated with the user account and is used by Google Analytics to collect data. The UA prefix stands for ‘Universal Analytics’, which is the current version of Google Analytics. The numbers that follow are the Google Analytics account ID. The postfix number is the index number of the property connected to the account. It is possible to have up to 50 properties connected to the same Google Analytics account, so the postfix can be from 1 to 50.

19399_picture14yu

Figure 14: Google Analytics ID Structure

The Google Analytics property tracking ID can be used as a part of Global Site Tag, which is provided in the admin area of the account.

Looking up this Google Analytics ID in VirusTotal will resolve to several Facebook Phishing URLs which can also be used for threat hunting purposes.

19400_picture15yu

Figure 15: Sample screenshot of VirusTotal search result using Google Analytics ID

During our research, we also discovered several other phony Facebook accounts that use this social engineering technique:

19401_picture16yu

Figure 16: Fake Appeal Form page

  

19402_picture17yu

Figure 17: Fake Account Restrictions page

 

19403_picture18yu

Figure 18: Fake Social Network Violations page

 

19404_picture19yu

Figure 19: Fake Page Recovery Notifications page

 

The majority of these URLs use free web hosting sites or short URL services that redirect to the destination phishing site. Some sites also use newly registered domains which are neither affiliated with Facebook, nor Instagram.

These type of posts or pages can be easily found by searching specific keywords like ‘appeal form’ in Facebook’s search text box:

19405_picture20yu

Figure 20: Text box search for Appeal Form page

 

To wrap up, these fake Facebook ‘Violation’ notifications use real Facebook pages to redirect to external phishing sites. Users are advised to be extra careful when receiving false violation notifications and not to be fooled by the apparent legitimacy of the initial links.

IOCs

URLs

hxxps://www[.]facebook[.]com/01oix2/posts/102106376025783
hxxps://meta[.]forbusinessuser[.]xyz/?fbclid=123
hxxps://meta[.]forbusinessuser[.]xyz/main[.]php
hxxps://meta[.]forbusinessuser[.]xyz/checkpoint[.]php
hxxps://api[.]telegram[.]org/bot5213906361:AAEAYFxbgjU7aBqrUm3ufkkt8UybZP_Lnbo/

Latest SpiderLabs Blogs

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More

CNAPP, CSPM, CIEM, CWPP – Oh My!

We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More

Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious...

Read More