- Joined
- May 15, 2016
- Messages
- 10,340
- Likes
- 2,620
- Points
- 1,730
The campaign spread ads and made the attacker several million dollars
Researchers discovered a large-scale phishing campaign that used Facebook and Messenger to lure millions of users to phishing pages to collect credentials and display ads. The attacker from the stolen accounts sent additional phishing messages to the victim's friends, earning significant advertising revenue.
PIXM tracked down the cybercriminal by posting a link to a public traffic monitoring application (whos.amung.us) on one of the phishing pages. The threat actor used automated tools to send additional phishing links to the victim's friends and compromised even more accounts.
To bypass phishing URL protections, messages used approved URL generation services "litch.me", "known.co", "amaze.co", and "funnel-preview.com". Phishing pages were visited by 8.5 million users and entered their credentials. After entering the data, there were multiple redirects to advertising pages, survey forms, etc. From all the redirects, the attacker received referral income of several million dollars.
.png)
The researchers found a common code snippet across all landing pages. The code contained a link to a website owned by Colombian Rafael Dorado, but was taken down as part of an investigation. Previously, Malwarebytes researchers have identified a campaign that uses a fake Firefox update and contains malicious ads.
.png)
Avast also discovered a new malicious campaign called FakeCrack. During the operation, the attackers distribute malware that steals passwords, bank card data, and cryptocurrency wallets from users. The malware is distributed through a pirated version of the CCleaner Pro utility.
__________________
Researchers discovered a large-scale phishing campaign that used Facebook and Messenger to lure millions of users to phishing pages to collect credentials and display ads. The attacker from the stolen accounts sent additional phishing messages to the victim's friends, earning significant advertising revenue.
PIXM tracked down the cybercriminal by posting a link to a public traffic monitoring application (whos.amung.us) on one of the phishing pages. The threat actor used automated tools to send additional phishing links to the victim's friends and compromised even more accounts.
To bypass phishing URL protections, messages used approved URL generation services "litch.me", "known.co", "amaze.co", and "funnel-preview.com". Phishing pages were visited by 8.5 million users and entered their credentials. After entering the data, there were multiple redirects to advertising pages, survey forms, etc. From all the redirects, the attacker received referral income of several million dollars.
The researchers found a common code snippet across all landing pages. The code contained a link to a website owned by Colombian Rafael Dorado, but was taken down as part of an investigation. Previously, Malwarebytes researchers have identified a campaign that uses a fake Firefox update and contains malicious ads.
Avast also discovered a new malicious campaign called FakeCrack. During the operation, the attackers distribute malware that steals passwords, bank card data, and cryptocurrency wallets from users. The malware is distributed through a pirated version of the CCleaner Pro utility.
__________________