Facebook Business Pages Targeted via Chatbot in Data-Harvesting Campaign

The clever, interactive phishing campaign is a sign of increasingly complex social-engineering attacks, researchers warn.

A social-engineering campaign bent on stealing Facebook account credentials and victim phone numbers is targeting business pages via a savvy campaign that incorporates Facebooks Messenger chatbot feature.
Thats according to an analysis from Trustwave SpiderLabs. Karl Sigler, senior security research manager there, tells Dark Reading that the campaign is notable for its interactivity, and how much more complex the social-engineering aspects of phishing campaigns have gotten.
You dont just click on a link and then be prompted to download an executable — most people are going to understand thats an attack and not click on it, he explains. In this attack, its a link that leads you to a tech-support-type channel asking for information that you would expect tech support to ask for, and that ramping up of the social-engineering aspect is relatively new with these types of campaigns.
According to the research, the attacks start with emails, as they often do. The emails claim that user pages will be terminated in 48 hours due to a violation of Facebooks community standards — a savvy lure, researchers pointed out, given that the social-media giant has been vocal about its efforts to clamp down on rules-breakers.
The sender, purporting to be from Facebooks support team, claims to be giving users a chance to appeal, and offers an Appeal Now button to click directly from the email. If one hovers over the button, the URL uses Metas legitimate URL-shortening service (which uses the convention m.me). If users click, theyre taken to a real Messenger conversation with a chatbot.
The chatbot claims to be a representative of the Facebook support team, and presents another Appeal Now button to victims. The embedded link takes users to a new tab to a website hosted in Google Firebase.
Firebase is an application development software that provides developers with a variety of tools to help build, improve, and grow the app [making it] easy for anyone to create and publish webpages, according to Trustwaves
Tuesday analysis
. Spammers take advantage of this availability, and in this case, they built a website disguised as a Facebook Support Inbox, where the user can purportedly appeal the supposed deletion of their page.
On this page, now-victims are asked to enter their email address or mobile number, first and last name, and page name. An additional text box for a phone number is displayed even though a mobile number is already being asked in the first text box. After pressing a Submit button, a pop-up window appears asking for the victims passwords.
All of the data is of course sent directly to the cybercrooks database.
The last link of the attack chain involves a bogus two-factor authentication gambit — users are presented with a pop-up box asking for a code, and are told theyll be sent a one-time password, which the attackers do since theyve been able to capture victims email and phone data.
Finally, the page will then redirect to the actual Facebook Help Center.
One of the aspects that makes this campaign so effective is the fact that chatbots are a common feature of digital marketing and live support these days, and people are not inclined to be suspicious of their contents, especially if they come from a seemingly genuine source.
The campaign uses the actual Facebook chat mechanism, Sigler says. When you click the link in the email and it takes you literally to Facebook, and you can see your account profile up top, you can see that its Facebook, you can look at the URL and its got the nice little lock up-top that lends trust. The supporting says Page support. Theyve given me a case number. And thats often enough to break down those the barriers that a lot of people put up to identify the red flags associated with phishing.
Sigler warns that attacks like these can be especially risky for business-page owners in particular.
This could be leveraged very well in a targeted-type of attack, he notes. If I know an organization has standardized on specific messaging clients, whether its Skype or Teams or Signal, I can start to craft a campaign specific to that messaging platform.
Cybercriminals can cause plenty of damage for business users with Facebook credentials and phone numbers, Sigler adds.
If the person who is in charge of your social networking falls for this type of scam, suddenly, your entire business page may be defaced, or they could leverage access to that business page to gain access directly to your customers using the legitimacy of that Facebook presence, he explains. Theyll also probably go after additional network access and data.
Phishing Defense with User Awareness Training: Still Effective
The use of valid infrastructure to propagate such attacks is a sign of
things to come in phishing
, Sigler notes.
A lot of times, these types of attacks will use cloned sites or those
typosquatted domains
that look like Facebook, but its actually Facebock, lets say, he says. Going forward, were going to continue to see a trend of attacks coming from
traditionally valid sources
, and its going to be harder and harder to distinguish these campaigns because of that legitimacy level that theyre piggybacking on top of.
That said, its worth noting that this particular campaign was not without its suspicious red flags. For instance, the emails have grammatical problems, such as the improper capitalization of the word Page, and the missing period at the end of the third sentence, researchers pointed out. And in the email header, the sender is named as Policy Issues, but the sender domain does not belong to Facebook. It is also evident in the emails Received headers and sender IP address that it was not sent by the social media platform.
There are also problems when users are taken to the purported support page.
Closer inspection of the profile owning the page will reveal that this is not an actual support page, according to the research. The profile used is just a normal business/fan page with zero followers and no posts. Even though this page may seem unused, it had a Very Responsive badge which Facebook defines as having a response rate of 90% and responds within 15 minutes. It even sported a Messenger logo as its profile picture to appear legitimate.
While this type of attack is a little bit clumsy from my point of view, and I think a lot of people would see through it because of the red flags, I think that this is a start and I think that theyre going to get much more clever, Sigler warns.
Thus, the best defense is to focus on user phishing training, Sigler advocates.
More than 95% of compromises are initially started with somebody clicking on the wrong link in a phishing email, Sigler notes. Hopefully organizations are having ongoing security awareness training, because the only thing you can do to patch for this type of attack is educate your users. So, its important to revisit your security-awareness program, to take a look at what youre currently teaching your employees and users about phishing attacks, and make sure that its up-to-date and includes some of these more complex campaigns.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Facebook Business Pages Targeted via Chatbot in Data-Harvesting Campaign