- Huntress discovers a phishing campaign abusing Meta business account email infrastructure and impersonating the Meta Agency Partner Program
- Victims were tricked into handing over credentials, which attackers exfiltrated to Telegram to take over accounts, serve fraudulent ads, and conduct spear phishing.
- Meta has since added security barriers that killed the campaign; Huntress released IoC to help organizations detect related activities
Hackers are abusing one and posing as another legitimate Metaservice to try to steal login credentials for people’s business accounts at the company.
Meta, owner of Facebook, Instagram, WhatsApp and more, allows businesses to set up separate accounts and talk to each other. Emails sent from one to another pass through the company’s infrastructure, so they are shown as coming from Meta itself.
However, until recently, hackers abused this fact to send phishing emails that landed directly in their victims’ inboxes, security researcher Huntress explained. The company even tried to curb this by coding a disclaimer that email senders are not part of or affiliated with Meta, but the criminals also found creative ways around this.
Spend money
The phishing emails redirected victims to landing pages outside of the Meta ecosystem. These pages were designed to mimic the Meta Agency Partner Program, a legitimate initiative that connects businesses with professionals in social media management work.
Those who didn’t see through the hoax would end up trying to log into their accounts and instead simply share their login credentials with the attackers. The secrets would be leaked to a Telegram account under the control of the threat actors, which they could then use for different things, from phishing to malvertising.
“Threat actors can leverage Meta business accounts to spend the victim’s money on malicious or fraudulent advertising, or they can take over the account entirely, changing the recovery methods and password, and leverage the account to transmit more targeted attacks to the company’s customers or social media followers.” the researchers explained.
Over the past few months, the campaign has evolved and changed, using different lures and mechanics, but maintaining the same end goal. However, Meta has effectively removed it by adding additional railings that now make running impossible.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.




