Full Report
In a previous Trustwave SpiderLabs’ blog, we explored how cybercriminals exploit Facebook Messenger chatbots to execute social engineering attacks, deceiving users into falling victim to scams and phishing schemes. These attacks often rely on the perceived legitimacy of automated systems to manipulate users into sharing sensitive information.
Analysis Summary
# Tool/Technique: Fake Live Support Phishing Campaign Targeting Meta/Facebook Users
## Overview
This describes a sophisticated social engineering and phishing campaign targeting Meta/Facebook users. The attackers utilize fake "live support chat" services to mimic legitimate customer support, aiming to build trust and deceive victims into revealing sensitive account information, including login credentials and potentially 2FA setup details.
## Technical Details
- Type: Technique (Phishing/Social Engineering)
- Platform: Web/Email (Targeting Facebook/Meta users)
- Capabilities: Credential harvesting, social engineering via simulated live chat, use of trusted third-party infrastructure (Salesforce, Cloudflare).
- First Seen: Early December 2024 (based on sample analysis)
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Indirectly, via lure email)
- T1566.002 - Spearphishing Link
- T1587 - Develop Capabilities
- T1587.001 - Develop Infrastructure (Use of newly registered domains)
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell / T1059.005 - Visual Basic (Implied by potential steps after credential harvesting, though direct execution is not detailed)
## Functionality
### Core Capabilities
- **Initial Lure:** Sending phishing emails that claim unusual API activity and account locking, directing victims via a link to appeal the restriction.
- **Domain Squatting/Trust Exploitation:** Utilizing **Salesforce-owned domains** (`salesforce-sites[.]com`) as initial redirectors to lend credibility.
- **CAPTCHA Verification:** Implementing a **Cloudflare CAPTCHA** check to reinforce the illusion of security and legitimacy.
- **Credential Harvesting Interface:** Directing users to newly registered domains (e.g., `account[.]metasystemaccount[.]com`) designed to look like Meta's account overview, requesting name and email initially.
### Advanced Features
- **Simulated Live Support Chat:** Presenting an automated chat interface staffed by a persona (e.g., "Joseph Turner").
- **Social Engineering Escalation:** Using dialogue to extract sensitive data:
1. Checking if a provided email is associated with an account.
2. Requesting screenshots of Facebook business settings for "validation."
3. Escalating to request the victim's explicit account **password** under the guise of troubleshooting.
- **2FA Deception:** Displaying fake step-by-step instructions for setting up Facebook 2FA, potentially prompting victims to enter setup keys.
- **Telegram Integration:** Observed POST requests to a `telegram_api[.]PHP` endpoint, suggesting threat actors may be using Telegram for real-time communication management or receiving harvested data.
- **Salesforce Chatter Exploitation:** Phishing emails were observed originating from the sender format `*_@*_chatter.salesforce.com`, indicating exploitation of Salesforce Chatter features for sending communication.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Not explicitly provided, but configuration files related to the web pages are implied]
- Registry Keys: [Not provided in the text]
- Network Indicators:
- Initial Redirector: `hxxps://platform-drive-4163[.]my[.]salesforce-sites[.]com/mera`
- Phishing Landing Domains: `account[.]metasystemaccount[.]com`, `account[.]metasystemhelp[.]com`
- Phishing Page Endpoints: `hxxps://account[.]metasystemaccount[.]com/messages[.]php`, `hxxps://account[.]metasystemaccount[.]com/admin_info[.]php`
- POST Submissions: `POST: hxxps://account[.]metasystemaccount[.]com/check_user_page[.]php`, `POST: hxxps://account[.]metasystemaccount[.]com/telegram_api[.]PHP`
- Behavioral Indicators:
- Emails using subject lines related to "API Activity," "Account Lock," "Security Alert."
- Communication originating from the sender format `*_@*_chatter.salesforce.com`.
- Observing POST requests to custom endpoints on newly registered domains during a simulated support session.
## Associated Threat Actors
- [Not explicitly named, but implied to be sophisticated actors focusing on credential theft against Meta/Facebook users.]
## Detection Methods
- Signature-based detection: Detection rules targeting the specific newly registered domains and Salesforce Chatter sender formats.
- Behavioral detection: Monitoring for unexpected requests for account passwords or repeated requests for screenshots/security keys within a "support chat" context.
- YARA rules: [Not provided in the text]
## Mitigation Strategies
- Users should never click links in unexpected security alert emails, especially those alleging account lockouts.
- Always verify the authenticity of communications by navigating directly to the official platform login page rather than using provided links.
- Treat any communication requesting sensitive data (passwords, 2FA setup keys) within a chat/email interface, even if it appears legitimate, as highly suspicious.
- Organizations should monitor for unauthorized use of their cloud platforms (like Salesforce) for phishing infrastructure.
## Related Tools/Techniques
- Previous Facebook Messenger Chatbot Social Engineering attacks.
- Phishing campaigns exploiting other trusted platforms (Reference to previous exploitation of Salesforce CRM 'Email-to-Case' feature).
- Use of cloud services (Cloudflare) for masking malicious intent.