The Facebook Messenger That Duped Millions

Do you use Facebook Messenger? Have you heard about one of the largest scams in the world that duped millions of Facebook users? The Security firm PIXM has recently released a report outlining a Facebook Messenger phishing scam that has been running for months and is thought to have tricked millions of people.

The scam is still running at the time of writing and still haunting Facebook Messenger.

If you use the app, be mindful of any links you receive before you click on them!

The Scam

This particular phishing scam revolves around a fake Facebook login page. The deceptively authentic link to that page has been shared extensively across Facebook and looks and feels identical to the real thing, leaving Facebook users (which tend to be older) dumbfounded when they find out their account has been compromised.

That link includes an entire chain of redirects that takes the user to a range of websites and app pages. Some of them are legitimate and prevents Facebook blanket blocking them. When a user logs into the fake page, it will report the login details to the scammer. The scammer will then log into the account and send the link to everyone in your friends list to further spread it. Once hacked, when the user logs into Facebook, they are redirected to ad pages, surveys and other pages that make referral money for the scammer.

The scammer, whose identity is known to PIXM said he “claimed to make $150 for every thousand visits [to the advertising exit page] from the United States.”

According to PIXM’s research, an estimated 400 million users from the U.S. alone have viewed the exit page of the fake login. At $150 per 1,000 visits, that’s “would put this threat actor’s projected revenue at $59M from Q4 2021 to present.” PIXM doesn’t believe that $150 figure though as it seems a little high. Anyone who runs ad networks online knows they don’t pay out anything like that amount. Despite the potential exaggeration in earnings, this scam is a good one and is still pulling people in.

Even if Facebook was able to block some of the redirected domains, it’s a matter of minutes to automatically create new ones and reinstate the scam.

How to Protect Yourself from Scams Like This

We at Redact are no strangers to phishing scams. In fact, we've previously talked about how to stay vigilant against them in detail. However, for both newcomers and the forgetful, we are more than happy to provide a rundown.

However simple and yet sophisticated this scam is, phishing always has a weak link- it depends on an action from the you, the user. In other words, a pittance of diligence will save you a potentially monumental headache.

We think a certain level of paranoia is useful whenever you’re going places online you haven’t been before or are even remotely suspicious about a link or message. Even from someone you know.

Don’t click links unless you know for sure they are legit, don’t download files, don’t log into Facebook if you’re already using it and pay special attention to the language used in messages supposedly sent from your friends.

Do that, and you’ll protect yourself from the vast majority of phishing scams out there.