Phishing with Facebook termination notices.

Avanan, a Check Point Software Company, released a report this morning detailing a phishing campaign impersonating Facebook for credential harvesting.

About the Facebook impersonation attack.

The attack begins with an email appearing to be from Facebook saying that the victim’s account had been suspended for violations of “Community Standards”. They’re told they have the ability to “appeal” the decision within 24 hours, or face permanent account deletion. The threat actor provides a link, which in actuality leads to a credential harvesting page, but appears to be from Meta.

Techniques used to fake termination notices.

The threat actor made the credential harvesting link believable, and the name of the victim’s actual page was included in the email contents. Playing on urgency, this attacker hopes that the victim views a quick appeal to prevent an impending loss of their account as reasonable. The sender’s email address, however, did not appear to come from Facebook, rather a Gmail account.