Anatomy of a Facebook-Hosted Phishing Attack

A number of First Look Media staff reported receiving a clever phishing attack to the security team. The attack, very similar to the one recently reported in the news, attempts to harvest Facebook user login credentials by leveraging Facebook’s own blogging platform, Notes, to lend a false air of legitimacy to the phishing campaign by making it appear as if the landing page is an official Facebook-hosted page.

The phishing attack comes via an email which purports to be from Facebook, informing the user that their Facebook posts have been reported for copyright infringement. The email then suggests that if the user thinks the copyright claim has been filed in error, they can dispute the claim by following a certain facebook.com link to report the false claim and file an appeal.

Though the initial landing page of the phishing campaign is hosted on facebook.com, the page includes an off-site link for the targeted user to then click on to unknowingly navigate to the phisher’s own site, at which point the user is asked to enter their credentials as part of filing a copyright takedown claim appeals form. Upon submitting the form, the user is then redirected back to an official facebook.com page thanking them for contacting Facebook. The key takeaway is that modern, sophisticated phishing campaigns may be hosted on the very same websites that the phishing campaigns are targeting.

The Phishing Operation

The Email

The phishing attack delivery vector is via an email message which purports to come from Facebook with a notification that the targeted user’s posts have been reported for copyright violations. The email further informs the user that “[i]f you think these reports have been filed by mistake or you are the copyright holder of the materials posted on the page please report this by using the following link”, followed by a link which at first glance appears to be to https://www.facebook[.]com/contact/appeal/111994093622362.

The email further cautions that “[i]f your page is not verified within 48 hours, we reserve the right to suspend the account without further notice”. Creating a false sense of urgency is a standard phishing tactic which attempts to coerce the user into immediate action without giving them time to critically think about the message.

Figure 1. The phishing email.

Phishing Red Flags

Aside from the sense of urgency, the email contains other standard phishing red flags such as:

  • Grammatical irregularities (e.g. “Any question?”);
  • An email address which does not correspond to the service it is claiming to be coming from (in this case, the email purports to be from Facebook, yet the email address is noreply@helpcenter.com);
  • A deceptive link, which does not point to the same URL as shown in the email.

Note that a lack of any of these red flags does not conversely mean that an email is legitimate; that is to say, a sufficiently-sophisticated phishing campaign may not have any spelling or grammatical irregularities and may further appear to be from a legitimate (e.g. *@facebook.com) email—whether via spoofing the email address or by using a previously-compromised email account (the aforementioned Charming Kitten group, for example, used compromised Twitter accounts of public figures to send phishing links, lending legitimacy to their campaign).

Another typical red flag that an email or a message is a phishing campaign is the presence of deceptive links, which appear to link to one site, but in fact redirect the user to another, malicious site (for instance, an email may appear to link to google.com, but when the link is clicked, it may actually take the user to another website because the displayed link may differ from the actual link).

This deceptive link red flag can typically be spotted, depending on the mail client used, either by hovering over the link in the email and waiting for the actual link URL to pop up either at the bottom of the browser or next to the link, or by right-clicking on the link and selecting ‘Copy Link’, ‘Copy link address’, or something similar and then pasting the copied text into a text editor to see the actual URL.

Note, however, that the malicious URL could be designed to look exactly like a legitimate URL by using substitute characters like a ‘1’ to represent an ‘l’ (a lowercase L), or an ‘l’ (a lowercase L) to represent an ‘I’ (an uppercase I). Similarly, the URL may use letters from different alphabets which appear visually indistinguishable (for example, this ‘о’ is from the Cyrillic alphabet and has a Unicode value of 1054, while this ‘o’ is from the Latin alphabet and has a Unicode value of 79 - despite their virtually identical appearance, the two are nonetheless distinct characters, and therefore their respective URLs would go to different websites). Due to these kinds of homograph attacks, it is always best practice to manually go to a website in question instead of clicking on a link in an email or other message. For instance, if there is an email with instructions to click a link to access your Facebook account, manually login to your Facebook account by opening up a new tab and navigating to facebook.com.

To return to the phishing case at hand, we can examine the URL to see that while it does not appear to go to the same exact location as the displayed link, it does nonetheless still go to a valid Facebook URL.

Figure 2. The displayed URL and the actual URL in the phishing email.

The displayed URL, https://www.facebook[.]com/contact/appeal/111994093622362, and the actual URL the link points to, https://www.facebook[.]com/111994093622362, are extremely similar, with the former attempting to garner a bit more legitimacy by adding the /contact/appeal/ path to the URL.

In fact, all of the links and image assets in the phishing email point to valid Facebook links. Image assets are linked to directly from Facebook, for instance:

<img class="img _8o _8t" style="border: 0px currentColor; border-image: none; margin-right: 10px; display: block;" alt="" src="https://www.facebook.com/images/support_inbox/icons/s_itemicon_tps.png">

All other links in the email likewise point to legitimate Facebook destinations, for example:

<a style="color: rgb(59, 89, 152); text-decoration: none; cursor: pointer;" href="https://www.facebook.com/help/364458366957655/?ref=pages_sd"> See our Help Center.</a>

Email Headers

Mail clients typically allow one to view the ‘raw’ email which contains both the actual source code of the email, allowing us to view the HTML markup code, as above, as well as the full email headers which can contain useful information about the origin of the email.

There are three particular header fields in this phishing email which stand out:

X-Mailer: Leaf PHPMailer 2.7 (leafmailer.pw)
X-HTTP-Posting-URI: http://rapak.com.pl/wp-content/plugins/jaepjcr/wywpituocu.php
X-HTTP-Client: 185.193.36.112

None of these fields are found in the Permanent Message Header Field Names Internet Assigned Numbers Authority (IANA) registry, which means that they are nonstandard, optional headers which the mailer does not need to add and which the receiving client should in turn not penalize an email for not having.

The X-Mailer field identifies which software was used to send the email - in this case it is not only identified as being Leaf PHPMailer (a known email spammer script which is typically installed on compromised WordPress pages and then used by the spammer/phisher to send rogue emails via the compromised site), but a link to the script’s homepage (leafmailer[.]pw) is also included.

The X-HTTP-Posting-URI field reveals the exact URL from which the email was sent. In this case, the Leaf PHPMailer script file has been renamed from the default name (leafmailer.php) to a seemingly random jumble of letters (wywpituocu.php) and hidden in the plugins path of a WordPress site. The site in question, rapak.com[.]pl, appears to be a Polish packaging company, which may indicate that the site has been compromised to unknowingly host the mailing script. Curiously, performing a web search for this custom field also yields a variety of almost exclusively Polish results, many of which appear to be implicated in spam campaigns.

Finally, the X-HTTP-Client field reveals the IP address of the sender. In this case, the IP 185.193.36.112 resolves to 112.36.193.185.baremetal.zare[.]com, with Zare appearing to be a server provider (indicating that the phisher may have used a third-party server instead of their own IP address to obfuscate their tracks).

Given that all three aforementioned headers are optional headers, it’s an open question as to why the email script opts to include them, as they reveal information about the phishing operation.

First Link

As previously mentioned, the URL displayed in the email (which in this case is just the link’s display name)—https://www.facebook[.]com/contact/appeal/111994093622362—is not identical to the actual destination URL, which is https://www.facebook[.]com/111994093622362. This latter URL is in turn a shortened version of a Facebook’s Notes link, which when navigated to expands to the full URL https://www.facebook[.]com/notes/support-lnbox/help-center/111994093622362/.

The Notes landing page, while being a user-created Facebook Notes blog page, is designed to appear as if it is a formal communication from Facebook.

Figure 3. The initial phishing landing page.

There are a number of false green flags on this page, which can signal to the user that this is a legitimate Facebook notice, as well as a number of more subtle red flags which can nonetheless indicate that the page is fraudulent.

The first green flag is that the phishing landing page is actually hosted on facebook.com. Not only does the site use HTTPS, but the site SSL certificate itself is a legitimate Facebook certificate as well, as the certificate is for *.facebook.com.

Figure 4. The phishing landing page EV SSL certificate is a valid *.facebook.com certificate, as the landing page is indeed hosted on facebook.com.

Not only then are phishing prevention guides which suggest to check for the presence of an HTTPS connection outdated for spotting modern, sophisticated phishing attacks, but so too are phishing prevention instructions which say to look for the website’s name in green in the browser (which is how Extended Validation (EV) certificates appear in some web browsers).

Figure 5. The phishing landing page, being hosted on Facebook, appears as an authenticated Facebook page in web browsers.

While some of the recent phishing research has noted that a minority of phishing websites are using EV SSL certificates, the authors nonetheless “assume that such domains are less useful when phishing for user credentials, as they prominently display a different company in the URL bar of several popular browsers”, seemingly overlooking the possibility that is presented in this case study: that the phishing campaign is phishing for user credentials of the same company as the EV certificate, as is the case with this campaign using a facebook.com-hosted landing page to lure users to enter Facebook credentials.

Another seeming green flag is that the landing page has an array of Facebook branding, including legitimate login and signup links, as well as Facebook logos, throughout the page. Similarly, the page displays another URL which also appears to be a legitimate Facebook link, at first glance (https://www.facebook[.]com/appeal/restricted).

There are, however, a variety of more subtle red flags present on the landing page as well. For starters, there are a number of misspellings and typos on the page; for instance, the last sentence (‘If you believe the page should not be removed, you will be provided an opportunity to submit an appeal’) lacks a closing period. More tellingly, while purporting to be from the support inbox, the message instead appears as being from ‘SUPPORT LNBOX’. Clicking on said ‘inbox’ in fact takes the user to a Facebook profile page which the phisher registered using the first/last name combination of ‘Security lnbox’. The lowercase L is intended to be a homograph of the uppercase I; while this appears successfully on the profile page, the Notes page displays the username in all capital letters, which renders the homograph attack unsuccessful in this instance.

Figure 6. Facebook phisher’s profile page, under the name ‘Security lnbox’.

Another major red flag is that—much like in the phishing email—the display URL https://www.facebook[.]com/appeal/restricted is in fact not the actual destination URL, which turns out to be https://t[.]co/oUOwikdG7N?amp=1.

Second Link

Being an external offsite link, the aforementioned t.co URL is routed through Facebook’s link script, l.php, specifically:

https://l.facebook[.]com/l.php?u=https%3A%2F%2Ft.co%2FoUOwikdG7N%3Famp%3D1&h=AT3p5tGEvmRGjvpUkQxaOcdPwpUeLvZIVkPnWcobnzSXgeaq24JDJz5EuOV0qLCATC3LIZj5BMjipibjKLN4ddlnmG3QSYK_2Cb9vqtwy5woot40N5cxtKawqx9TXUWdIzVEE5zy3zS6fIDiIw94aQ

At some point following the launch of the campaign, Facebook did flag the outbound t.co link as malicious, subsequently displaying a warning that the link cannot be followed owing to it not meeting Facebook’s community standards.

Figure 7. Facebook blocking of malicious offsite link.

Curiously, while Facebook did eventually flag the offsite t.co link, it took several more days for them to shut down the phisher’s Facebook account, leaving the initial landing page up, despite the offsite link being blocked.

T.co is Twitter’s URL shortener service, which is only available to users when they input a link into Twitter, whether when making a post or sending a direct message; suggesting that the phisher has a Twitter account which they used to generate the shortened URL. Twitter’s URL shortener, unlike some other link shortener services, does not seem to provide any publicly available metrics about click-throughs.

Using a URL expander service, https://t[.]co/oUOwikdG7N?amp=1 can be seen to expand to https://facebook.help-contact-terms[.]review/id=1103928423/.

Figure 8. The second phishing landing page.

This second, offsite landing page informs the user that they have been “Reported for Copyright Content”, and invites them to submit an appeal form which asks for their full name, phone number, email address, password, page URL, date of birth, and any comments they wish to enter.

The page, though being replete with spelling errors (“Please be carefully by filling out this form”, “we made abble this form”, “statuory requirements”, etc.), attempts to mimic Facebook’s fonts and layout (e.g. the blue Continue button). The page also uses the generic Top Level Domain (gTLD) review and the subdomain facebook to make it appear as if the user is actually visiting a Facebook-affiliated domain. The webpage is served through HTTPS, as the phishing site is using Cloudflare. The Certificate Subject Alt Name field of the SSL certificate can be examined to see if the phisher is using the same certificate on any other domains, though in this case they do not appear to be doing so.

Figure 9. Certificate Subject Alt Name field of the phisher’s Cloudflare certificate, which can be used for further domain enumeration if the same certificate is setup for multiple domains or subdomains, though it is not in this case.

WHOIS information for the help-contact-terms[.]review shows that the domain was registered on December 3, 2019 via NameCheap, Inc. (who describe themselves as “the first major domain registrar to offer Bitcoin”) using the WhoisGuard Inc. WHOIS anonymization service, and is behind Cloudflare.

Figure 10. WHOIS information for help-contact-terms[.]review.

Third Link

The Continue button on the phishing appeal form page points to another shortened URL, https://bit[.]ly/33Fk5kf, this time using the Bitly URL shortener service in lieu of Twitter’s. Using the aforementioned URL expander service, the Bitly URL can be seen to expand to https://www.facebook[.]com/help/?mail_sent=1&_rdc=1&_rdr.

Once the user has filled out the phishing form, they are then redirected back to a legitimate facebook.com page which thanks them for contacting Facebook, adding credibility to the phishing campaign by making it appear as if the form was genuinely submitted to Facebook.

Figure 11. Legitimate Facebook contact confirmation page.

As the shortened Bitly URL expands to an official Facebook URL, it is unclear why the phisher opted to use the shortening service. One possibility is the desire to collect click-through metrics, in case the phisher did not want to setup manual collection on their help-contact-terms[.]review site. Basic Bitly analytics can be publicly viewed by appending a plus sign (+) to the end of a shortened Bitly URL, https://bit[.]ly/33Fk5kf+ in this case. Click count data for any Bitly link can be viewed without a Bitly account, while referrers and user location data can be viewed for any Bitly link when logged in to Bitly with a free user account. Logging into a Bitly account thus allows us to see basic analytics containing the click counts, referrers, and user location data associated with this particular Bitly link.

Figure 12. Basic Bitly analytics for the URL used as part of the phishing campaign.

Looking at the location data shows that the single majority of click-throughs for the Bitly URL were from Italy, suggesting that Italian users may have been a target of the phishing campaign. Out of a total of 743 click-throughs, 207 were from October 17, 2019, indicating that the link has been reused from an earlier campaign, given that the help-contact-terms[.]review phishing website was only created on December 3, 2019 (WHOIS information for another domain listed in the referrer information provided in the Bitly metrics, help-support-contact[.]services, shows that it was registered on October 17, 2019, and updated on December 12, 2019). There is however also the possibility that the phisher used an already-existing shortened Bitly URL instead of creating one themselves. The particular Bitly URL has, however, certainly been used in other phishing campaigns as looking at the referrer data provided by Bitly’s basic analytics allows us to enumerate eight phishing domains (two of which contains two subdomains) which utilize the shortened Bitly address:

facebook.com.contact-help-support[.]services
facebook.com.help-support-contact[.]services
facebook.help-contact[.]services
facebook.help-contact-terms[.]review
facebook.support-help-terms[.]services
fb.contact-help-support[.]services
fb.help-appeal-contact[.]services
fb.help-contact-support[.]services
fb.help-contact-terms[.]review
fb.support-help-terms[.]services

The subdomains are either fb, facebook, or facebook.com; the domain names are hyphenated variations of the words appeal, contact, help, support, terms, and the top-level domains are the generic top-level domains services or review.

Phishing Campaign Flow

The entire Facebook phishing campaign link flow can be summarized as follows:

Figure 13. Facebook phishing campaign flow.

Summary

This email phishing attack is an intriguing mix of amateur and sophisticated phishing techniques. The campaign approach itself—using a Facebook-hosted landing page to phish Facebook login credentials—while not entirely novel, is nonetheless seldom used. The phisher created a sophisticated chain of attack that led the targeted users from an email purporting to be from Facebook, to a landing page actually hosted on facebook.com, to an offsite form page which instructed users to input their Facebook credentials, and finally redirecting them back to an official facebook.com confirmation page. URL shorteners were further used throughout the process to both obfuscate destination URLs and collect click-through metrics.

Nonetheless, portions of the campaign were handled with more amateurism. For instance, the initial bait email was delivered via a widely available phishing script, and the various text throughout the campaign was replete with spelling and grammatical errors.

Ultimately, the campaign signals the escalating elaboration and sophistication of phishing attacks, particularly those which are at least partially hosted on the very same domains that the phishing attack is attempting to harvest credentials for. Older phishing prevention advice, to check that the website domain is indeed the one the user is entering credentials for (let alone to check for HTTPS), are insufficient for the prevention of modern phishing attacks; greater user vigilance is required to notice a variety of red flags to avoid clicking on suspicious links and entering credentials into malicious sites.