Ongoing Phishing Attack Targets Facebook ‘Meta Business Administrators’

Scott Claeys
4 min readJan 14, 2024

--

The landing page that is presented to Meta Business Admins within a sophisticated phishing attack.

There is currently an ongoing phishing campaign targeting Meta Business Admins, that uses Facebook Acceptable Use and Community Policies in a sophisticated social engineering plot to trick the administrator into submitting sensitive credentials or potentially even to gain control of the Admin’s remote device.

…What’s worse: the mechanism of delivery for this attack? Messenger, Meta’s own web and mobile chat application.

Over the last 14 days, I’ve counted 6 unique instances of occurrence across a number of pages, and each time, I’ve submitted a report with as much related data as the submission form would accept to Facebook/Meta’s designated channels. I had hopes that the response would be quick, and that we’d be done with this specific nuisance.

The impact on small teams of having to react to and acknowledge the constant stream of inbound spam many pages receive is enough to take the “wind out of the sails” of independents and small businesses, let-alone the escalation to malicious targeted phishing attacks.

At the least, these attempts are time-consuming disruptions that make Meta Business administration even more cumbersome than it already is.

At the worst, a number of unsuspecting (read: overly-trusting) admins could find themselves in a compromised state of ownership of their Meta assets, which could potentially lead to untold impacts on their businesses.

Why is this Phishing Attack More Concerning than Others?

The reason this attack poses a greater threat than others is the fact that it’s method of delivery is almost entirely concentrated to the Meta platform.

The typical phishing attack by email involves attempting to deceive the mail recipient into taking an action under the guise that they have been contacted by a legitimate entity they trust. The recipient is told to click some link to avoid some type of account disruption (generally) and upon clicking this link they are met with a webpage disguised as their trusted entity’s website or application. Any actions made or information sent by the user are shared directly with the attacker, rather than with the trusted interface with which they believed they were interacting.

In this case, however, a Meta users/admin receives a push or email from a Meta notification application, alerting them of a new message in Messenger.

They’ve added all the appropriate meta information to give the appearance of authentic Meta links.

By way of utilizing these channels, the attacker effectively hijacks Meta’s platforms and infrastructure to deliver their highly targeted malicious content directly into the inboxes of users. Of course, the assumed “TRUST” with which admins and users interact freely within the Metaverse is the most concerning aspect, here.

The attackers have now inherited this trust as the recipient is only directly notified of any of this through official Meta interfaces, which begin to appear to be the perfect vessel for this seemingly elementary reverse engineering and social engineering attack.

All the while, circumventing about two-thirds of the checkpoints typically used to identify and prevent email phishing. When these messages are sent via email, there are opportunities for security measures to identify and stop the spread of the messages through globally exposed data sets that can be used to validate email and senders.

Within Meta, the sender is the receiver is the sender, so there’s no caution on whether they should send or deliver the message which has just been generated from within themself…

“No red flags there”, the admin thinks, as he’s conveniently whisked to the messaging interface. “Nice, no authorization needed!” he thinks as he is automatically logged in by merit of him already being logged into Facebook (who’s assigned him a trust score of “A1-Best”, due having an uninterrupted logged in session dating back to 2019).

Obviously, I’m exaggerating here…but it’s still of great concern and I hope they patch this issue quickly.

Here is the most recent message sent to one of our business pages:

Important Notification:

Your Facebook page will be permanently deleted due to a post that infringes our trademark rights. We have made this decision after careful consideration and in compliance with our intellectual property protection policies.

If you believe this is a misunderstanding, please submit a complaint requesting the restoration of this page before it is removed from Facebook.

Request for Review: hxxps//case-01569026[.]help-desk-information[.]com

We understand that this may impact your current business objectives. If we do not receive a complaint from you, this will be our final decision.

Thank You,

This is a message from a temporary support agent with support id 78844890, please visit the link above and follow the instructions.

© Noreply Facebook. Meta Platforms, Inc., Attention: Community Support, 1 Facebook Way, Menlo Park, CA 94025

--

--

Scott Claeys
Scott Claeys

Written by Scott Claeys

Founder/Operations Manager @RadWebHosting Here’s my less serious work: https://claeys.co