Researchers disclosed a large-scale phishing operation targeting Facebook and Messenger to lure millions of users. The users are drawn to phishing pages, from where their credentials are stolen and ads are displayed for revenue generation.

The phishing operation

The campaign has been active since September 2021 and peaked in April–May 2022. The stolen accounts were used to send further phishing messages to their friends, promoting the campaign exponentially and generating more revenue by showing ads.
  • Researchers tracked the attacker and mapped the campaign to one of the phishing pages hosting a link to a traffic monitoring app ( that was accessible without any authentication.
  • It is not known how the campaign targeted its victims initially. However, researchers suspect that victims arrived at phishing landing pages via a series of redirects from Facebook Messenger.
  • Researchers found a common code snippet in all landing pages, which included a reference to a website seized and part of an investigation against a Colombian man named Rafael Dorado.

Post-infection process

After more Facebook accounts were stolen, the attackers used automated tools to send more phishing links to friends of compromised accounts, thus creating a large growth in stolen accounts.
  • The phishing messages used genuine URL generation services (e.g. litch[.]me, famous[.]co, amaze[.]co), which are hard to block using security products, as these services are known to be used by legitimate apps.
  • After a victim inputs their account credentials on the phishing landing page, a new round of redirections starts. This redirection takes victims to advertising pages and survey forms, among others.

Additional Insights

In 2021, around 2.7 million users visited one of the phishing portals. This count has increased to 8.5 million this year.
  • Further, 405 unique usernames were used as campaign identifiers, each with a separate Facebook phishing page.
  • Initially, these phishing pages had 4,000 views, which has now surged to millions, while one page has 6 million views.


The phishing campaign is still ongoing, even after most of the identified URLs are now offline. Further, the use of legitimate services to bypass URL blocking has proven successful for attackers. To stay safe, users are suggested to stay vigilant and enable two-factor authentication.
Cyware Publisher