Trustwave security researchers discovered a new phishing campaign using Facebook Messenger chatbots to steal users’ credentials.
The chatbots would impersonate Facebook customer support staff to hijack pages by tricking page managers into providing their credentials.
Trustwave said the malicious sites and chatbots were taken down following its report.
The phishing attack involved an email informing recipients that Facebook would delete their page after two days for violating Meta’s Community Standards.
Trustwave noted the email had several errors that pointed out its dubious nature.
“Some errors are present in the message, such as the improper capitalisation of the word ‘Page’ and the missing dot at the end of the third sentence,” Trustwave said.
The researchers also advised users to check the email header for similar indicators of illegitimacy.
In this case, the sender’s name was “Policy Issues”, and the sender domain did not belong to Meta Platforms (formerly Facebook).
When victims clicked on the “Appeal Now” link, it redirected them to a Messenger conversation with a chatbot.
When Trustwave researchers inspected the fake support bot’s profile, they noted it was a business/fan page without followers or posts.
To convince users of its legitimacy, attackers used a Messenger logo as the profile’s picture.
When users clicked the “Appeal Now” button, they were redirected to a Google Firebase-hosted website camouflaged as a Facebook support inbox.
The “appeal” form requested that users enter their email address, name and surname, page name, and phone number.
After a target entered their credentials and clicked “Submit”, the form sent them to the attackers’ database.
After submitting the data, a pop-up asked users to confirm their passwords for security purposes.
Victims were then redirected to a fake two-factor authentication page, which used the mobile number entered earlier to continue the illusion of a legitimate process.
Trustwave’s researchers said users could enter any numerical code into the OTP field since it didn’t check the input’s length.
“This may make sense to the victim as it is now common practice to have another layer of authentication after providing such credentials,” Trustwave said.
After entering the OTP, targets got redirected to Meta’s legitimate intellectual property and copyright guidelines page.
“The fact that the spammers are leveraging the platform that they are mimicking makes this campaign a perfect social engineering technique,” Truswave said.
The Trustwave team advised social media users to remain vigilant and look for red flags in unsolicited emails.