A new report out today from cybersecurity company Trellix Inc. warns that Facebook phishing scams are becoming significantly more sophisticated, as attackers increasingly abuse legitimate cloud infrastructure and employ advanced visual deception techniques to steal user credentials.

According to the report, attackers have moved beyond traditional phishing emails and fake login pages and are adopting a technique known as “browser-in-the-browser.”

The method involves creating a fully simulated login pop-up window inside a user’s browser tab that closely mimics a legitimate Facebook authentication prompt. Because the fake window displays what appears to be a real Facebook URL, users have little visual indication that their credentials are being harvested rather than sent to Meta Platforms Inc.’s servers.

The phishing campaigns often start with phishing emails designed to look like official communications from law firms or Meta and often allege copyright violations, account suspensions, or suspicious login activity. The potential victims are then directed to click on a link and are then presented with the deceptive BitB login window.

Not surprisingly, at this point, once credentials are entered, the attackers can completely take over Facebook accounts to spread further scams, steal personal data or conduct identity fraud.

The campaign also becomes more interesting in that instead of relying on malicious domains, attackers have been found to be increasingly deploying fake Facebook login and appeal pages on services such as Netlify Inc. and Vercel Inc. The idea here is that by hosting phishing content on reputable cloud providers and masking links with URL shorteners, the attackers can evade many traditional email and web security filters while giving victims a false sense of legitimacy.

In examples given in the report, users were first prompted to submit basic personal information, including names, email addresses, phone numbers and dates of birth, before being asked to enter their Facebook passwords to complete an appeal or security check. Trellix’s researchers note that this multi-step approach increases the perceived authenticity of the process and improves credential theft success rates.

The researchers warn that the rise of BitB attacks represents an escalation in phishing tactics because visual inspection alone is no longer a reliable defense, arguing that even experienced users may struggle to distinguish a fake in-browser login window from a genuine authentication flow.

Trellix is recommending that all Facebook users enable two-factor authentication on their accounts, avoid clicking links in unsolicited emails and manually navigate to facebook.com or the official mobile app to verify account issues.

Image: SiliconANGLE/Ideogram