A phishing campaign has been identified that targets corporate Facebook credentials and has so far involved more than 12,000 messages to users worldwide. The campaign has primarily targeted enterprises in the European Union (45.5%), United States (45%), and Australia (9.5%) with the phishing emails sent using a legitimate Salesforce automated mailing service. When emails are sent via this service, a sender email address can be specified; however, if no address is supplied, the emails appear to have been sent directly from Salesforce from the noreply@salesforce.com email address, per the terms of service. As such, any recipient of the email may mistakenly believe that the emails are official.
The emails include fake versions of the Facebook logo, which recipients should be able to identify as fake; however, the emails are well-written, and the subject matter is sufficiently concerning to warrant a click. The emails warn the recipient about a copyright infringement claim that has been filed under the Digital Millennium Copyright Act (DMCA) against the user’s personal account, indicating material has been shared via their account that is in violation of copyright laws.
The messages include the date of the complaint, that it was reported by Universal Music Group, and is due to the unauthorized use of copyrighted music. The recipient is told they must respond to the claim by the close of business if they wish to contest the claim. The date of the required response is only 24 hours after the complaint date, therefore an immediate response is required. As is common with phishing attempts, there is a threat – permanent restrictions on the user’s Facebook account. The message includes a button to click to contest the claim, but rather than direct the user to a login page, they are directed to a fake support page, where they are provided with further information on the restrictions that have or will be applied. Several variations of that email have been identified, including warnings that Facebook surveillance systems have identified a copyright issue and, as a result, limitations have been placed on the user’s account.
Those restrictions include the disabling of personal ad accounts and audiences, blocking the management of advertising assets or people for businesses, and preventing the user from creating or running ads and managing ad accounts. In order to have those restrictions removed, the user must click the button to request a review, which directs the user to a spoofed Facebook login page. If credentials are entered, they will be captured and used to log in to the user’s account. The campaign, identified by Check Point Research, targets business users, many of whom will rely on Facebook for advertising and customer contact, therefore the consequences of an account restriction could be serious, and certainly serious enough to warrant filing an appeal. What is unclear is how the threat actor uses the compromised accounts. Potentially they could be used for further scams, which could cause considerable reputational damage to the business.
Protecting against these types of phishing campaigns requires a combination of email security and user awareness. An email security solution can prevent these messages from reaching inboxes, thus neutralizing the threat, but security awareness training should also be provided to workforce members to help them identify and avoid phishing attempts. In this case, Facebook admins for the business should be warned about the campaign and instructed to log in to Facebook directly via their web browser if they receive any copyright infringement notices purporting to have been sent by Facebook. If there is a problem with their account, it will be apparent when login into their account.
With the SafeTitan security awareness training platform from TitanHQ, it is easy to create and automate security awareness training programs and roll out new training content in relation to specific threats, only providing that training to the individuals who are likely to be targeted. Phishing simulations can easily be created to test awareness of these phishing scams, with relevant training automatically delivered in response to clicks on phishing emails.
TitanHQ’s anti-spam software, SpamTitan, provides excellent protection against phishing, as demonstrated by recent tests by VirusBulletin. The cloud-based anti-spam service outperformed all other antispam solutions in the latest round of tests, blocking 100% of phishing emails and 100% of malware, earning SpamTitan the top spot for overall score. If you are not happy with your anti-phishing defenses or feel you are paying too much for protection, give the TitanHQ team a call and ask about SpamTitan. If you have yet to provide regular security awareness training to your workforce, why not sign up for a free trial of Safetitan and put the product to the test on your workforce?