Check Point Email Security | Blog

Facebook Termination Notices Leads to Phishing

Written by Jeremy Fuchs | January 9, 2023

Last year, we wrote about a number of different Facebook-inspired attacks. See here and here for examples. 

These attacks primarily took advantage of the site’s Ad Manager service. Essentially, an end-user would receive a report that their ad account was at risk of termination–unless they took decisive action, now.

That action, of course, would lead to credentials being stolen.

It’s a New Year, but the attacks are still flowing from these spoofed Facebook accounts. 

In this attack brief, researchers at Avanan, a Check Point Software Company, will discuss how hackers are leveraging Facebook copyright infringement notices to steal credentials. 

 

Attack

In this attack, hackers are sending fake Facebook copyright infringement notices in the hopes of getting credentials. 

  • Vector: Email
  • Type: Credential Harvesting
  • Techniques: Social Engineering, Impersonation
  • Target: Any end-user




Email Example #1

 

 

This email says that a Facebook account has been suspended. The reason given is that a photo uploaded to the account’s page has violated Facebook’s copyright infringement policy. 

In order to appeal this suspension, you have to, within 24 hours, make an appeal to avoid suspension. Otherwise, the account will be permanently suspended.

The link does not to go a Meta page, but rather a credential-harvesting page. 

Techniques

The best phishing emails are believable and play on urgency.

Though this email has a sender address that clearly does not come from Facebook, it’s otherwise fairly believable. Though we blurred it out, it mentions the page’s name. The link, on first look, appears to be believable (although when hovering over it, you’ll see that it does not go to a Facebook-related page). 

Where the user might be tempted is the idea that their account will be suspended within 24 hours. Think about it: If your organization relies on its Facebook page for advertisement, awareness and other business activities, having it permanently suspended will be quite difficult to overcome. Filing a quick appeal seems reasonable.

That’s where the hackers try to get you. And they are having success, as evidenced by the waves of these emails we’re seeing. When we see a number of similar attacks spoofing the same brand, we know that the hackers are getting people to bite.

 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Always hover all URLs before clicking
  • Always double-check sender addresses
  • Log into the Facebook account directly to check the status of the account, instead of clicking on the URL in the email