Security news that informs and inspires

Meta Lawsuit Cracks Down on Facebook Phishing Scams


A new lawsuit from Meta seeks to uncover the operators behind 39,000 phishing sites that have attempted to steal Facebook, Instagram and WhatsApp users' credentials.

Meta has filed a lawsuit in a California court aimed at disrupting phishing attacks that pretend to be login pages for Facebook, Messenger, Instagram and WhatsApp.

The lawsuit in particular focused on a phishing scheme that involved more than 39,000 phishing login pages that prompted users to enter their usernames and passwords. Attackers utilized a service from a cloud company called Ngrok in order to relay Internet traffic to their phishing websites, which obfuscated where the websites were hosted.

“Starting in March 2021, when the volume of these attacks increased, we worked with the relay service to suspend thousands of URLs to the phishing websites,” said Jessica Romero, director of Platform Enforcement and Litigation at Meta, in a Monday post.

However, the Facebook parent company wants to go a step further in seeking records to uncover the identities of the operators behind the phishing sites.

In its lawsuit, Meta said it is seeking $500,000 in damages from the attackers, stating that the company has been negatively impacted by the phishing landing pages through brand and reputational damage. The lawsuit said that attackers have violated Facebook’s Terms of Services, California’s Anti-Phishing Act and the Lanham Act, which governs trademarks and unfair competition.

“It will be interesting to see how the courts manage this lawsuit.”

The social media’s previous attempts at disrupting cybercriminal activities have differed in that the attackers were known and they were directly abusing Facebook’s platform rather than working through a relay service. In November, for instance, Meta took measures against hacking groups from Syria and Pakistan that were sending phishing links to Facebook users; disabling their accounts, blocking their domains from being posted on Facebook’s platform and alerting those who were targeted.

Hank Schless, senior manager of security solutions at Lookout, said that this lawsuit alone will not have a significant impact on the frequency of phishing campaigns - but “it could very well cause threat actors to at least think twice” before launching phishing attacks.

“As cyber law is still being developed, we frequently see actors from other countries indicted on charges like fraud, but rarely for the actual cyber act itself,” said Schless. “It will be interesting to see how the courts manage this lawsuit.”

Regardless of whether the lawsuit is effective or not, Romero sent a clear signal to these attackers looking to launch phishing attacks that leverage brands under the Meta umbrella: Meta has plans to continue collaborating with online hosting and service providers to disrupt phishing attacks as they occur.

“This lawsuit is one more step in our ongoing efforts to protect people’s safety and privacy, send a clear message to those trying to abuse our platform, and increase accountability of those who abuse technology,” said Romero. “We proactively block and report instances of abuse to the hosting and security community, domain name registrars, privacy/proxy services, and others.”