- Huntress uncovers phishing campaign abusing Meta’s business account email infrastructure and impersonating the Meta Agency Partner Program
- Victims were tricked into handing over credentials, which attackers exfiltrated to Telegram for account takeover, scam ads, and targeted phishing
- Meta has since added guardrails that killed the campaign; Huntress published IoCs to help organizations detect related activity
Hackers are abusing one, and impersonating another legitimate Meta service, to try and steal login credentials for people’s business accounts with the company.
Meta, the owner of Facebook, Instagram, WhatsApp, and more, allows businesses to set up separate accounts and talk to each other. The emails sent from one to another pass through the company’s infrastructure, meaning they are shown as coming from Meta itself.
However up until recently, hackers were abusing this fact to send phishing emails that landed directly into their victims’ inboxes, security researchers Huntress explained. The company even tried to curb this by hardcoding a disclaimer that email senders are not part, or affiliated with, Meta, but crooks found creative ways around this, as well.
Spending money
The phishing emails redirected victims to landing pages outside Meta’s ecosystem. These pages were designed to mimic Meta Agency Partner Program, a legitimate initiative that connects businesses with professionals in social media management work.
Those who would fail to see the ruse would end up trying to log into their accounts, instead just sharing their login credentials with the attackers. The secrets would get exfiltrated to a Telegram account under the threat actors’ control, which they could later use for different things, from phishing to malvertising.
“Threat actors can leverage Meta business accounts to spend the victim’s money on malicious or scam advertising, or they can take over the account entirely, changing the recovery methods and password, and leverage the account to transmit more targeted attacks at the business’ customers or social media followers.” the researchers explained.
Over the last couple of months, the campaign evolved and changed, using different lures and mechanics, but keeping the same end goal. However, Meta has effectively killed it by adding additional guardrails that now make it impossible to run.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/iiobK7D8pysDnhkkAGDsgH-2560-80.jpg
Source link




