Meta business accounts increasingly being hit by cyberattacks

In this photo illustration, the Meta Platforms, Inc. logo is displayed on a smartphone screen.
(Image credit: Photo Illustration by Rafael Henrique/SOPA Images/LightRocket via Getty Images)

Meta business accounts are being increasingly hit by cyberattacks, as threat actors look for easy ways to run malvertising campaigns, experts have warned. 

A report from Cofense has detailed a brand new campaign, powered by a potent phishing kit, aimed at owners of Meta (Facebook, essentially) Business accounts.

These differ from consumer-facing accounts, as they are designed to enable businesses, brands, organizations, and public figures to manage their presence, engage with their audience and, most importantly, run advertising campaigns.

"Classic" phishing

Since all advertising campaigns need to go through some form of audit (usually automated and quite possibly AI-powered), business accounts with a history of successful campaigns have a higher chance of being cleared, even for malvertising. That makes them a popular target among cybercriminals. What’s more, business accounts often have credit cards linked to them as well, allowing threat actors to run malvertising campaigns at someone else’s expense.

But most business accounts nowadays are also protected with multi-factor authentication (MFA), a second authentication step that makes it harder for hackers to steal them. A new phishing kit, detailed by Cofense in its report, allows the adversaries to bypass this step, too.

It all starts with a phishing email, which bypasses spam filters, and lands straight into the inbox. The email claims a recent ad campaign violated Meta’s policy, and that urgent information verifications are necessary for the campaign, and the account itself, to not get terminated. As expected with phishing emails, this one offers a link to “verify” account information, which redirects users to a fake Facebook login page. There, the attackers can grab not just login credentials, but MFA codes, as well.

Defending against phishing emails is relatively simple, and starts by double-checking the sender address (it’s almost never the same as the legitimate domain). Furthermore, authentic emails will almost never demand urgent user action, and will not threaten account termination in such a way.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.