Meta business accounts increasingly being hit by cyberattacks

These differ from consumer-facing accounts, as they are designed to enable businesses, brands, organizations, and public figures to manage their presence, engage with their audience and, most importantly, run advertising campaigns.

"Classic" phishing

Since all advertising campaigns need to go through some form of audit (usually automated and quite possibly AI-powered), business accounts with a history of successful campaigns have a higher chance of being cleared, even for malvertising. That makes them a popular target among cybercriminals. What’s more, business accounts often have credit cards linked to them as well, allowing threat actors to run malvertising campaigns at someone else’s expense.

But most business accounts nowadays are also protected with multi-factor authentication (MFA), a second authentication step that makes it harder for hackers to steal them. A new phishing kit, detailed by Cofense in its report, allows the adversaries to bypass this step, too.

It all starts with a phishing email, which bypasses spam filters, and lands straight into the inbox. The email claims a recent ad campaign violated Meta’s policy, and that urgent information verifications are necessary for the campaign, and the account itself, to not get terminated. As expected with phishing emails, this one offers a link to “verify” account information, which redirects users to a fake Facebook login page. There, the attackers can grab not just login credentials, but MFA codes, as well.

Defending against phishing emails is relatively simple, and starts by double-checking the sender address (it’s almost never the same as the legitimate domain). Furthermore, authentic emails will almost never demand urgent user action, and will not threaten account termination in such a way.

More from TechRadar Pro

• Don't fall for this devious phishing scam, Facebook users warned
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now