Researchers have uncovered a large-scale phishing operation that abused Facebook and Messenger to lure millions of users to phishing pages, tricking them into entering their account credentials and seeing advertisements.

The campaign operators used these stolen accounts to send further phishing messages to their friends, generating significant revenue via online advertising commissions.

According to PIXM, a New York-based AI-focused cybersecurity firm, the campaign peaked in April-May 2022 but has been active since at least September 2021.

When PIXM took a further look into the fake landing page, it found “a reference to the actual server which is hosting the database server to collect users’ entered credentials”, which had been modified from that of the legitimate URL, and led to a series of redirects. Also within the code, PIXM discovered a link to a traffic monitoring application, which allowed the anti-phishing company to view the tracking metrics. This led to PIXM uncovering not only the traffic information from the cybercriminals’ page but also a host of other fake landing pages as well.

As more Facebook accounts were stolen, the threat actors used automated tools to send further phishing links to the compromised account’s friends, creating massive growth in stolen accounts.

“A user’s account would be compromised and, in a likely automated fashion, the threat actor would log in to that account and send out the link to the user’s friends via Facebook Messenger,” explains PIXM in the report.

“After the user has clicked, they will be redirected to the actual phishing page. But, in terms of what lands on Facebook, it’s a link generated using a legitimate service that Facebook could not outright block without blocking legitimate apps and links as well.”

However, the threat actors erred when they incorporated the link to a traffic monitoring application they were using. This allowed PIXM researchers to access the tracking metrics of the entire phishing campaign, including hundreds of landing pages the actors had developed.

Expectedly, the scale is quite massive. One of the landing pages had 2.7 million user visits in 2021 and has been visited by approximately 8.5 million users so far in 2022.

PIXM also discovered over 400 unique usernames, each linked to a different phishing landing page. One username had as many as 6.3 million views in 2022, up 128% from 2021.

In total, all these usernames had 399,017,673 sessions. The phishers also told an OWASP researcher that for every one thousand visits from the United States, they earned about $150. This translates to a total revenue of $59.85 million.