A significant Facebook Messenger phishing campaign is on the rise, targeting approximately 100,000 business accounts per week. Cybercriminals utilize a vast network of fake and compromised Facebook profiles to dispatch millions of phishing messages through Messenger.
Furthermore, these messages trick victims into downloading RAR/ZIP archives containing an evasive Python-based stealer that harvests cookies and passwords stored in web browsers. Guardio Labs’ recent report indicates that about one in seventy targeted accounts ultimately falls victim, resulting in substantial financial losses for businesses.
The attackers initiate this Facebook Messenger phishing campaign by sending deceptive messages to Facebook business accounts, often masquerading as copyright violations or inquiries about products.
These messages contain archives housing batch files that, when executed, retrieve a malware dropper from GitHub repositories, designed to evade detection and minimize traces. The malware collects the victim’s cookies and login data, packaging them into a ZIP archive sent to the attackers via Telegram or Discord bot API.
To maintain control, the stealer wipes all cookies from the victim’s device, forcing logouts and granting scammers the opportunity to hijack compromised accounts by changing passwords.
While the attack chain may not be novel, the scale of this campaign is highly concerning. Guardio Labs reports around 100,000 phishing messages sent each week, with targets mainly located in North America, Europe, Australia, Japan, and Southeast Asia. Approximately 7% of all Facebook business accounts have been targeted, and 0.4% have downloaded the malicious archive.
Guardio Labs attributes this campaign to Vietnamese hackers due to certain strings in the malware and the use of the “Coc Coc” web browser, which is popular in Vietnam.
This campaign highlights the ongoing threat posed by cybercriminals targeting Facebook with large-scale operations, often monetizing stolen accounts through resale on platforms like Telegram and the dark web.
