Researchers at Trustwave Holdings Inc.’s SpiderLabs today detailed a new campaign that leverages Facebook infrastructure for phishing attacks and the theft of personally identifiable information.

Dubbed “Meta-Phish,” the campaign starts with phishing emails that point to actual Facebook posts instead of the typical malicious phishing link. The content on Facebook is crafted to appear legitimate, complete with a dummy “Page Support” profile with the Facebook logo as its display picture.

The message contains a copyright violation message that at first glance looks legitimate, but the link provided leads to an external page that mimics Facebook’s copyright appeal page.

Users, having been tricked so far into thinking this is all legitimate, are asked to enter details onto the page with any information stolen the moment they hit the send button. In addition, the attackers receive the victim’s IP and geolocation information. The information stolen is sent to a Telegram account via a Telegram Bot application programming interface using HTTPS.

Victims who have gotten this far into the scam are then redirected to a new phishing page and presented with a fake One Time Password Check. Any value the users enter leads to an error message with a popup that reads, “Need another way to Authenticate?” If users click “Get Code,” they are then redirected to Facebook to log in.

Most of the URLs used in the campaign use free web hosting sites or short URL services that redirect to the destination phishing site. Some alternatively use newly registered domains that are not affiliated with Facebook or Instagram.

The researchers do not note how widespread the phishing campaign is but instead point to posts and pages used in the campaign that can easily be found on Facebook by typing in “appeal form” in the search box. SiliconANGLE tested this theory and discovered dozens of fake accounts named Appeal Form (pictured), suggesting that the campaign is highly active.

Users are advised to be extra-careful when receiving alleged violation notices from Facebook and should not be fooled by the apparent legitimacy of the initial links.

Image: Facebook/SiliconANGLE