Cyber security researchers have revealed a massive ad phishing campaign targeting the accounts of more than 6.15 million Facebook users in at least 50 countries by tampering with open source repository GitHub pages.
According to Nepal-based cyber security firm ThreatNix, the list of affected users is growing at a fast pace of more than 100 entries per minute.
The researchers first detected the phishing campaign through a sponsored Facebook post, offering 3 GB of mobile data from Nepal Telecom and redirecting to the phishing site hosted on github pages. The page that posted the ad was using the profile picture and name of Nepal Telecom and looked exactly like the real page.
Facebook users from several countries were targeted
“We saw similar Facebook posts targeting Facebook users from Tunisia, Egypt, the Philippines, Pakistan, Norway, Malaysia, etc.,” the firm claimed in a statement this week. ”
According to the firm, The Ad Phishing Campaign is spoiling targeted ads from legitimate institutions and specific countries using local Facebook posts and pages. The static GitHub page was redirected to the website through links within these posts, which had a login panel for Facebook.
Researchers find nearly 500 sensitive pages
“The information stolen from all these static Github pages was being sent to two end-points-first firestar database and the second fishing group-owned domain,” the researchers said.
We discovered about 500 Github repositories with phishing pages that are a part of the same phishing campaign. At present, Facebook and Github have not given any cleanliness to this report of thretronics.
Scammers use bitly links
Work is being done on taking down phishing infrastructure by collaborating with the relevant authorities, as if we are withholding domain-related information until then,” Thretnix said.
While Facebook is taking measures to ensure that such phishing pages are not made obsolete for advertisements. The researchers explained that in this situation, scammers were using bitly links, which are initially represented as a perfect page, but after the ad has been approved, it is converted to a phishing domain.