Phishing campaign against Facebook users

February 17, 2021
malware adware phishing campaign facebook messenger social media

A recent phishing campaign has been rediscovered victimizing again Facebook users. The said modus has been around since 2017 and repurposed with the same tactic has been spotted since then. This new operation is believed to have resurfaced in January 2020 and targets users mainly from Germany and some more from different locations worldwide. Based on the researched statistics, victim counts have already reached almost half a million since it began.

The campaign was tagged – ‘Is that you?’ based on the line used to lure victims into opening the attachment. Victims are being sent a message through Facebook messenger via their added contacts that contain the tag line with a video attachment. Since the message is received from their friend contact list and confirms the attachment’s content, they become willing victims to the campaign. The victim’s curiosity will lead them to a compromised Facebook login page where they need to enter their credentials to continue to view the video attachment. Later, they will be redirected to websites that are injected with malicious code that includes adware and worst malware, and the intended video is nowhere to view. Unknowingly, the victim’s credentials are being captured by the adversaries for their perusal, as a consequence, the victims’ devices are now infected with malicious wares.

Digging into this current operation, cybersecurity experts can verify and possibly link it to an adversary situated in the Dominican Republic. They were able to see remnants of codes written in Spanish, and the domain that was mentioned was confirmed registered in the same country. As they further scrutinized the gathered evidence, researchers proved it was created with high sophistication. This was able to bypass the security imposed by Facebook on its platform. Tweaking on the code, experts were able to get hold of the adversary dashboard to view the whole operation’s statistic. The records show the graphical representation of the number of users affected, the number of devices per operating system used, and the default browser that the victim is using on their device. The adversary’s motive was not yet established on the report submitted by the experts as they were unable to see any stolen accounts that could have been used for other malicious activity nor have been sold out on the dark web. Thus, they can only conclude that this was only operated for spreading adware and malware.

Relevant authorities such as CERT in Germany and the Dominican Republic have already been notified about the Malicious Operation.


Facebook received the report to help stop the campaign in its platform’s operation, while the compromised website was already cleaned with the injected malicious code.


The public is warned to be constantly vigilant and always confirm anything they see and receive from the internet by directly contacting the sender either by call or known email address. An advisory of continuous awareness has also been placed to protect their accounts by creating a unique and robust password or activating multi-factor authentication. In case the account has been compromised, immediately change the password as the compromised account will indeed inflict damage to the victim and possibly to other close contacts.

About the author

Leave a Reply