Eight million businesses advertise their products on Facebook. 

To do so, they use Facebook Ads manager, which is the back-end dashboard to create, manage and analyze campaigns. (It can also be used for Instagram.)

Within the Ads manager, you can create a lead generation form. It allows users to enter their email address and other information to obtain a document or other asset; the company on the other end receives the email address to begin marketing activities.

Now, this form is being used by hackers to obtain much more than email addresses.

In this attack brief, researchers at Avanan, a Check Point Software Company, will discuss how hackers are using Facebook forms to steal credentials and key personal information. 

Attack

In this attack, hackers are using Facebook forms to create credential harvesting pages

  • Vector: Email
  • Type: Credential Harvesting
  • Techniques: Social Engineering, Static Expressway
  • Target: Any end-user



Email Example #1



This email claims to come from Facebook’s (Meta’s) ad manager team. The email claims that an ad doesn’t comply with their standards, and thus the ad account is disabled. In order to rectify this, you must create an appeal. That is the Facebook lead gen form that will instead be used to obtain passwords and credit card information. Notice that the email address is an Outlook domain, not from Facebook. You’ll also notice that the address is incorrect. Ironically, Meta’s main address is 1 Hacker Way in Menlo Park (not Menlos Park). The zip code is also off.




Email Example #2:



 

 

This is a similar email that comes from a separate address. The content of the email is slightly different, but the goal is the same. 

 

Techniques

Our researchers have been consistently tracking phishing emails that come from legitimate sources. We call this The Static Expressway. It refers to the fact that hackers are leveraging sites that appear on static Allow Lists. That means that email security services have broadly decided that these sites are trustworthy, and thus anything related to them comes through to the inbox. 

Facebook is one of those sites. So a link from Facebook would appear to be legitimate and not scanned for further malicious content.

For the end-user, seeing that their Facebook ad account has been suspended is cause for concern. Some of the traditional techniques for checking if an email is phishing won’t apply. Since it’s a legitimate Facebook link, the user would feel confident continuing on. If they saw the email address as different from an actual Facebook account, that would be cause for concern. If not, though, it’s straight to Facebook to resolve the issue.

Leveraging legitimacy is a key trend that hackers are exploiting. We've seen this most recently with PayPal, AWS, QuickBooks and more. Legitimacy has two ways of working. It fools the scanner into thinking the email is real. And it fools the end-user.

It allows hackers to not only get into the inbox, but also get the end-user to act. That’s the ultimate win-win. 

Avanan notified Facebook of these findings, and will update this blog with any additional information. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Always check reply-to addresses to make sure they match
  • Be sure to pay attention to grammar, spelling and factual inconsistencies within an email
  • If ever unsure about an email, ask the original sender