- Huntress Uncovers Phishing Campaign Abusing Meta’s Corporate Account Email Infrastructure and Mimicking the Meta Agency Partner Program
- Victims were tricked into handing over credentials that attackers exfiltrated to Telegram for account takeover, scam ads and targeted phishing
- The meta has since added bumper cars that killed the campaign; Huntress released IoCs to help organizations discover related activity
Hackers abuse one and pretend to be another legitimate Meta service to try to steal login information for people’s business accounts with the company.
Meta, the owner of Facebook, Instagram, WhatsApp and more, allows businesses to create separate accounts and talk to each other. The emails sent from one to the other pass through the company’s infrastructure, meaning they come from Meta itself.
But until recently, hackers abused this fact to send phishing emails that landed directly in their victims’ inboxes, security researchers explained to Huntress. The company even tried to curb this by hard-coding a disclaimer that email senders are not part of or affiliated with Meta, but crooks found creative ways around this as well.
To spend money
Phishing emails redirected victims to landing pages outside the Meta ecosystem. These pages are designed to mimic the Meta Agency Partner Program, a legitimate initiative that connects companies with professionals in social media management work.
Those who didn’t want to see the list would end up trying to log into their accounts instead of simply sharing their login information with the attackers. The secrets would be exfiltrated into a Telegram account under the control of the threat actors, which they could later use for various things, from phishing to malvertising.
“Threat actors can leverage Meta business accounts to spend the victim’s money on malicious or scam advertising, or they can take over the account completely, change the recovery methods and password, and leverage the account to transmit more targeted attacks against the company’s customers or social media followers.” explained the researchers.
Over the past few months, the campaign has evolved and changed, using different lures and mechanics, but with the same end goal. However, Meta has effectively killed it by adding additional guardrails that now make it impossible to drive.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



