Home News Large Scale Phishing Operation: 615,000+ User Credentials Stolen Using Facebook Ads

Large Scale Phishing Operation: 615,000+ User Credentials Stolen Using Facebook Ads

A large scale phishing operation has hit several countries including Nepal, Egypt, and the Philippines, and may have already stolen over 615,000 user credentials through Facebook ads and Github pages


Researchers from security firm ThreatNix found threat actors abusing Facebook ads in a massive phishing campaign to steal users’ login credentials. They stated that cybercriminals are using Github pages to exploit Facebook ads and redirect users to phishing pages. The large-scale phishing operation targeted Facebook users in Nepal, Egypt, the Philippines, and several other countries, and may have already affected more than 615,000 users.

“Our researchers first came across the campaign through a sponsored Facebook post that was offering 3 GB mobile data from Nepal Telecom and redirecting to a phishing site hosted on GitHub pages,” ThreatNix said.

Most Affected Countries

ThreatNix investigation found user entries from more than 50 countries. The most affected countries in the phishing campaign include:

  • Nepal (27466)
  • Philippines (15506)
  • Egypt (5386)
  • Mongolia (832)
  • Norway (714)
  • Tunisia (540)
  • Iraq (321)
  • Malaysia (300)
  • Algeria (282)
  • Pakistan (1042)

The Large-scale Phishing Operation

  • Adversaries used localized Facebook posts and pages imitating legitimate entities and targeted ads for specific countries.
  • Fraudulent links in these posts redirected the users to a static Github page website that contained a fake login panel for Facebook.
  • The compromised users’ login entries were then forwarded to two endpoints – a Firestore database and a domain operated by the phishing group.

The scammers used Bitly links, which were initially presented as legitimate and modified to the phishing domain once the ad was approved. Over 500 GitHub repositories containing phishing pages linked to this phishing campaign were found in the investigation. “These repositories are created by a variety of recent accounts and some of the pages were abandoned and were no longer available on GitHub pages. The earliest these pages were created in GitHub was 5 months back but as some GitHub repositories were deleted so it is possible that similar tactics were used before that as well,” ThreatNix added.