A large scale phishing campaign using GitHub pages and targeted Facebook Ads has stolen the credentials of more than 615,000 Facebook users. A misleading ad on Facebook offering 3GB free data from Nepal Telecom has redirected users to the Phishing page. Users from Nepal, the Philippines, Tunisia, Pakistan, Mongolia, and Egypt are broadly affected by the campaign.
More than 500 GitHub repositories are part of this large-scale phishing campaign. The campaign discovered by a Nepalese security firm, Threat Nix. They were able to get into the database with more than 6 Lac entries. The database is growing at a scale of more than 100 entries per minute.
The campaign is going on for the past few months as the GitHub repositories were made five months back and the domain used in the campaign is registered on GoDaddy in April 2020. The firm has detected four other domains belonging to the same Phishing group.
The cyber actors first created a Facebook page that looks like legit cellular companies and then runs localized ads on them offering free data. Facebook doesn’t approve ads with Phishing pages, the criminals use Bitly links to shorten URLs. As soon as the ad approved, the ad redirects the user to a static GitHub page website that has a similar Facebook-like infrastructure. As soon as the user fills in the login details, the credential stored in a Firestore database and the Phishing domain.
The security firm is working currently with authorities to take down the Phishing Infrastructure but the takedown did not happen till. Thus, the relevant Phishing page is active now too.
If you see any such ad on Facebook offering data and sending you to some URL where you need to fill in credentials, please don’t fill such forms. Also, report such pages in the comment section so that we can also take necessary actions against the Phishing page.