To evade security, Phishing Attack uses Facebook Posts

As part of an attack chain, a new campaign to phish users using Facebook posts is used. It tricks them into giving their account credentials as well as personally identifiable information (PII).

Targets are emailed with emails claiming to address a copyright violation issue in one recipient’s Facebook post. If no appeal is made, their account may be removed within 48 hours.

Phishing email sent to targets


You can appeal account deletion by clicking the link on This allows threat actors to bypass email security and send phishing messages directly into the inbox of the targeted.

This Facebook post appears to be Page Support. It uses a Facebook logo as an appearance that the company is managing it.

Facebook post masqueraded as a support page


To reduce victims’ chances of falling for the scam, however, the post contains a link that takes you to an external site that is phishing after Meta, the owner of Facebook.

Trustwave analysts discovered the phishing scheme by looking for the URLs below. These URLs remain accessible as of this writing.

  • meta[.]forbusinessuser[. ]xyz/?fbclid=123
  • meta[.]forbusinessuser[.]xyz/main[. ]php
  • meta[.]forbusinessuser[.]xyz/checkpoint[. ]php

These phishing websites are designed to look like Facebook’s copyright appeal page. They contain a form asking victims to fill out their name, address and username.

The landing phishing page mimics Facebook’s Help Center


The page collects victim’s IP address, geolocation information, and then exfiltrates all data to Telegram accounts under threat actor’s supervision.

Threat actors may collect additional information in order to bypass security questions or fingerprinting protections and take over the victim’s Facebook account.

A redirection will take the victim to another phishing site, where he/she will see a 6-digit OTP request and a timer.

Bogus 2FA step on the phishing site


Any code entered by the victim will cause an error. If the “Need another way?” button is clicked, the site redirects to the actual Facebook page. Clicking the link will redirect to the real Facebook page.

Trustwave analysts discovered, too that threat actors used Google Analytics to track their campaign’s efficiency.

This technique is widely used

Trustwave has reported that it found many Facebook accounts with fake posts that appear to be support pages. These leads victims to phishing sites.

Various Facebook accounts promoting the same fake alerts


To avoid being flagged or removed from social media platforms, these posts include URL shorteners to link to phishing websites.

These victims may be attracted to these posts by phishing email, such as the one in this report or instant messages on Facebook.