Article Details

Phishers try to lure 5K Facebook advertisers with fake business pages. One company alone was hit with more than 4,200 emails. More than 5,000 businesses that use Facebook for advertising were bombarded by tens of thousands of phishing emails in a credential- and data-stealing campaign. Check Point researchers say that they spotted about 40,000 phishing emails sent to their customers across the US, Europe, Canada, and Australia - and they were sent from the legitimate facebookmail.com domain. While most organizations received fewer than 300 messages, one company alone was hit with more than 4,200. To pull off this phishing expedition, the criminals created shell Facebook Business pages representing businesses that don't exist, and then used the Business invitation feature to send phishing emails that look like the real deal. This makes the fake notifications look more convincing because they appear to come directly from Meta, plus the legit domain helps the phishing emails bypass security filters.  Both of these things, plus urgent language like "account verification required," mean that recipients are more likely to click on the malicious Facebook link, and then be redirected to phishing websites that steal users' credentials and other sensitive information. Targeted industries include automotive, education, real estate, hospitality, and finance, and while the emails mostly went to smaller and mid-size businesses, the phishing expedition also caught a "smaller number of large, well-known companies," according to the Check Point security researchers. "These sectors, particularly those that rely on Meta platforms for customer engagement, are ideal targets because their employees frequently receive genuine 'Meta Business' notifications and are therefore more likely to trust such messages," the researchers note. Meta did not immediately respond to The Register's inquiries about this campaign. We should add: Check Point provides email security to its customers, so on one hand the Monday report is saying that the vendors' products did what they were supposed to do - stop phishing attacks. However, because of the scale and global nature of this campaign, it's worth putting the word out, as users beyond Check Point's customers should be on alert. We've asked the security firm for more details, including how many phishes resulted in compromised credentials and stolen data, and will update this story when we hear back from Check Point. "This campaign underscores a growing trend where cyber criminals weaponize legitimate services to gain trust and bypass security controls," the researcher team noted. "While the volume of emails may suggest a spray-and-pray approach, the credibility of the sender domain makes these phishing attempts far more dangerous than ordinary spam."