Massive Scam Campaign Promoting Fake Facebook Messenger Updates

• A large-scale campaign is targeting users of the Messenger app through thousands of fake posts.
• The ads promote a supposedly new version of the application that has some lucrative features.
• All that the victims get is a login prompt on a phishing page, essentially giving away their credentials.

An analysis by Group-IB’s Digital Risk Protection team informs us of a massive scam campaign targeting Facebook Messenger users in over 80 countries in Europe, Asia, North and South America, and the MEA region. The campaign uses fake ads that promote what is supposedly an updated version of the Messenger App.

Those who get tricked and download the app are having their account credentials stolen right on the login screen of the landing page. Group IB also discovered around 1,000 fake Facebook profiles that the scammers use to support and promote the campaign.

The first traces of the fraudulent campaign became evident in the summer of 2020, but this month, the number of malvertising posts have peaked at 5,700. In many cases, the actors are using the official Facebook Messenger logo in their profile picture, but they have to be creative for the name. Typically, we see typos like “Meseenger,” or “Massengar,” or “Messanger,” and anything that people could miss at first glance.

Moreover, to evade detection from Facebook’s anti-scam systems, the actors are shortening the links to their phishing pages using linktr.ee, bit.ly, cutt.us, cutt.ly, and rb.gy. This seems to be enough to do the trick, as none of these posts are automatically marked as dangerous.

For the landing page, the actors use something that resembles Facebook, but again, people who are careful enough will notice the clear discrepancy in the URL. In the example given by Group-IB, it’s “facebookem0.github.io”, obviously not under Facebook’s domain.

An interesting part of this story is that the driver isn’t the promise of prize winnings but software features in this campaign. The actors are luring people by mentioning non-existent features like seeing who visited your profile, checking which messages were deleted, and more. In some cases, though, we see straight blackmail - threatening to delete their account if they don’t use the latest Messenger version.

The only advice we can give you on the above is to remain vigilant and never act in a hurry. Whenever you are about to enter your account credentials, no matter which account or platform that is, take a moment to confirm that the URL you’re on appears legitimate. And finally, using a network protection tool should be enough to generate an alert when you land on risky websites.