Facebook Messenger bots are being used as part of a new phishing attack to impersonate the Facebook’s support team and steal credentials used to manage Facebook pages, often used by companies. As part of a new campaign, threat actors are using chatbots to steal credentials from managers of Facebook pages, which are frequently used by companies to provide support or to promote their services.
Method
This phishing attack begins with an e-mail informing the recipient that their Facebook page has violated Community Standards, giving 48 hours to appeal the decision, or their page will be deleted. The user is directed to Facebook's support center, and to access it, he is urged to click the "Appeal Now" button. By clicking it, the victim is taken to a Messenger conversation where an automated chatbot impersonates a Facebook customer support agent. The chatbot sends the victim an "Appeal Now" button on Messenger, which takes him to a website disguised as Facebook Support Inbox. On the main phishing page, users who wish to appeal the page deletion are asked for their email address, full name, page name, and telephone number. Upon entering the data and clicking the "Submit" button, a pop-up window appears requesting the account password. Afterward, all information is sent to the threat actor's database using a POST request. Lastly, the victim is redirected to a fake 2FA webpage, where he is prompted to enter the OTP he received via SMS on the provided phone number, however, the page accepts anything and serves only to create a false sense of legitimacy. When the victims are verified, they are directed to an actual Facebook page containing intellectual property and copyright guidelines that are supposedly relevant to the user's violation