As phishing attempts continue to be a popular target for cybercriminals, one scam discovered that a user had acquired a million Facebook account credentials in just four months. Anti-phishing firm PIXM discovered that a fake Facebook login gateway was being used as a stand-in for the social networking site’s main page, and that users were entering their account credentials in an attempt to log in only to have their data stolen.

“It’s amazing how much money a threat actor can make without resorting to ransomware or other popular kinds of fraud like asking gift cards or emergency PayPal requests,” Chris Clements, vice president of solutions architecture at cybersecurity firm Cerberus Sentinel, said. “With enough size, even small actions like advertising referrals that pay pennies might build upto quantities that cybercriminals find appealing.” The phishing tactics used to steal Facebook credentials.

When PIXM investigated the bogus landing page further, it discovered “a reference to the actual server which is hosting the database server to gather users’ entered credentials,” which had been changed from the legitimate URL and resulted in a series of redirection. PIXM also uncovered a link to a traffic monitoring tool within the code, which allowed the anti-phishing firm to access the tracking stats. As a result, PIXM was able to discover not only the traffic information from the hackers’ page, but also a slew of other phoney landing pages.

“Many people underestimate the usefulness of their social media accounts, forgetting to establish multi-factor authentication and otherwise protecting their accounts against fraudsters.” When criminal actors gain control of an account, it is frequently used to harm their own friends and family,” said Erich Kron, a security awareness advocate at KnowBe4. “By using a real account that has been hacked, bad actors would use the trust inherent in a recognised relationship to persuade people to take activities or risks they would not otherwise take.”

Threat actors would get access to a victim’s account, then post hazardous links in bulk to the victim’s friend group to cultivate more account credentials, the links were later shown to be originated from Facebook itself. The websites would deploy and generate URLs for the phoney Facebook landing page using services like,,, and, deceiving people into entering and having their account information taken.

Following additional analysis, the attacks looked to be coming from a threat actor in Colombia, along with the perpetrator’s email address.


One of the most effective ways to avoid these attacks is to avoid clicking on links that appear to be fraudulent or illegitimate, even if they appear to come from a friend or trusted source. Although someone close to you may give you a link, this does not always guarantee it is from that person’s account, as the large-scale phishing attacks shown above demonstrate.

“People should be aware of the types of fraud schemes that fraudsters are doing and be on the lookout,” Clements added. “Any unexpected demands from social network contacts should be independently validated, such as by calling your friend to confirm the action they requested was authentic.”

Using MFA, which requires a code or string of digits to be entered before someone can access your account, is one way to avoid having your account compromised. Because fraudsters do not have all of the information needed to log in to a compromised account, this can prevent them.

Individuals should enable MFA on their accounts and use unique and strong passwords for each account to safeguard themselves against the threat, according to Kron. “Even if provided by a trusted friend, individuals should always be wary of strange requests, posts, or messages.” When requested to verify their identity, consumers should check the URL bar in their browser to confirm they are logging into the real website and not a spoof.”