Pro Security Tech Radar

Meta business accounts increasingly being hit by cyberattacks

May 15, 2024
admin

Click here to visit Original posting

Meta business accounts are being increasingly hit by cyberattacks, as threat actors look for easy ways to run malvertising campaigns on one of the world’s biggest social media platforms. This is according to a new report from cybersecurity researchers Cofense, who recently detailed a brand new phishing campaign, powered by a potent phishing kit, aimed at owners of such accounts.

Meta (Facebook, essentially) Business accounts differ from regular ones, and are designed to enable businesses, brands, organizations, and public figures to manage their presence, engage with their audience and, most importantly, run advertising campaigns. 

Since all advertising campaigns need to go through some form of audit (usually automated and quite possibly AI-powered), business accounts with a history of successful campaigns have a higher chance of being cleared, even for malvertising. That makes them a popular target among cybercriminals. What’s more, business accounts often have credit cards linked to them as well, allowing threat actors to run malvertising campaigns at someone else’s expense.

"Classic" phishing

But most business accounts nowadays are also protected with multi-factor authentication (MFA), a second authentication step that makes it harder for hackers to steal them. A new phishing kit, detailed by Cofense in its report, allows the adversaries to bypass this step, too.

It all starts with a phishing email, which bypasses spam filters, and lands straight into the inbox. The email claims a recent ad campaign violated Meta’s policy, and that urgent information verifications are necessary for the campaign, and the account itself, to not get terminated. As expected with phishing emails, this one offers a link to “verify” account information, which redirects users to a fake Facebook login page. There, the attackers can grab not just login credentials, but MFA codes, as well.

Defending against phishing emails is relatively simple, and starts by double-checking the sender address (it’s almost never the same as the legitimate domain). Furthermore, authentic emails will almost never demand urgent user action, and will not threaten account termination in such a way.

More from TechRadar Pro