Facebook is the most popular social network worldwide, outperforming every other competitor for reach and active users, according to Statista. Further, according to Sprout Social, Facebook is the third-most visited website following Google and YouTube. Thus, when a phishing campaign leverages the Facebook brand, the implications are particularly consequential.
Email researchers at Check Point have recently discovered a new Facebook-focused phishing campaign, which has been sent to more than 12,279 email addresses and targets hundreds of companies.
The campaign began around December 20th 2024 and has primarily affected enterprises across the EU (45.5%), US (45.0%) and Australia (9.5%). Nonetheless, versions of the notifications have also been found in Chinese and Arabic, showing that the campaign targeted companies across geographic locales.
How it works
The cyber criminals use the automated mailing service that belongs to Salesforce as a marketing tool. In other words, they don’t breach any terms of service or the Salesforce security systems. Rather, they use the service normally and choose not to change the sender ID. That way, the email is branded with the email address noreply@salesforce.com.
The emails themselves contain phony versions of the Facebook logo and falsely notify recipients of copyright infringement. “It has been reported that your recent activity might be in violation of copyright laws,” reads one email.
Sample email 1
Sample email 2
Chinese-language sample email
Recipients who mistakenly believe one of the phishing emails will be led to a fake Facebook support page. The page prompts individuals to input their details, where they may unwittingly provide their credentials to cyber criminals. Text on the page suggests that the credential details are critical in having the account “reviewed”, rather than disabled.
Cyber criminal landing page with embedded credential harvesting technology
Implications
Organizations that rely on a Facebook page as a storefront, for advertising purposes, for awareness purposes and/or other business activities may be particularly vulnerable to this phishing threat.
Any cyber criminal who gains access to a Facebook admin account can potentially gain control over a business page. The individual can then alter content, manipulate messaging, or delete posts. Security settings could also be changed, preventing authentic administrators from easily re-accessing the account.
An account breach of this nature can subsequently result in loss of client trust. After a Facebook account is hijacked, clients may perceive a business as negligent, and may move away from the business or pursue lawsuits.
Further, for businesses in regulated industries, like healthcare and finance, a data breach could lead to non-compliance, culminating in fines and legal challenges.
For organizations: Proactive means of avoiding this threat
- Set up alerts. Add a layer of security to your online presence. Set up notifications in response to suspicious logins and unusual activity.
- Educate employees. Inform Facebook admins that instead of clicking on a link embedded in any type of email that seemingly originates with Facebook, they should navigate to the organization’s Facebook account page and sign in. The status of the account can be verified from there.
- Educate customers. To assist customers in avoiding victimization through phishing links, as distributed post-account hijacking, businesses may wish to inform consumers of how they should expect to receive communications from the business and under what circumstances.
- Incident response plan. Maintain a clear phishing-response action plan. Note how to recover a compromised account and how to share relevant information with customers, if necessary.