Looks like there seems to be a new phishing campaign ramping up to get Facebook credentials from mobile users. Curious how I got a text, since I am not on Facebook.
Whoops. Well lets start a bit of investigation then.
Looks like we have a website: hxxps://acc-ver-744969.224477.icu. Let’s dig. First things first, lets check out if the certificate says anything?
Nope, just a self-signed certificate to “server.localhost.com”. Lets check out how it redirects.
Interesting, this site redirects out to m.facebook.com. Well, I know this isn’t a valid request. And I’m pretty sure Facebook doesn’t use redirects from Russia. Lets keep going.
Looks like the IP: 220.127.116.11 is from Moscow, Russia. The ports showing from this system that show open are:
It also looks like the ports for 80 and 443 go to a Facebook phishing site. Let’s check that out.
What? It looks like it really is just redirecting over to Facebook. Am I missing something?
No, recovering my sanity, it looks like this IP is commonly used for Office 365 phishing, Bank Phishing, and Facebook. So what’s up with the redirect? Let’s see what happens on mobile again.
Oooooooh, interesting. It appears that on mobile, the site is for some reason just being accepted and opened with Brave. No prompt for the self-signed certificate and no redirect to the main site. Maybe this is some sort of Chromium based bug? Let’s continue.
After obviously giving them my real phone number and password, it wants to verify that my phone number is correct. That’s nice of them.
Awesome, now my non-existent Facebook account is confirmed! That is some quality service. But out of curiosity, does this work on Firefox mobile?
No? Maybe they wrote it to only work on specific or non-updated browsers? Let’s check out normal chrome.
Weird. Now when I go back to Brave, it’s redirecting like normal. But in Firefox if I place the URL directly into the browser, it shows now as a malicious site.
It looks like if I click on this site directly from the link in the original text, for some reason it will still redirect me out to Facebook.com. But if I paste the URL directly into Firefox, I get the above message.
What is the source for this redirecting page then?
Censys.io shows that maybe these sites are being redirected to different ports on the server? It looks like the banners are encoded with MD5 to redirect. Lets check out URLSCAN again.
Looks to be 19 HTTP transactions taking place, and then simply the redirect out to Facebook.com.
I’ll keep looking at it.
For now, it looks like this this may be some sort of phishing campaign that is redirecting to normal Facebook.com if the user doesn’t have some sort of outdated or vulnerable browser. Keep your software up to date, make sure that you delete your facebook (or be very careful until your cybersecurity buddy convinces you otherwise), and never ever click on a link from your phone that is unwarranted.
Again, be on the lookout for any SMS phishing campaigns for Facebook. They (hopefully, idk) shouldn’t text you unwarranted, and especially for security reasons.