A new global phishing threat called “Meta Mirage” has been uncovered, targeting businesses using Meta’s Business Suite. This campaign specifically aims at hijacking high-value accounts, including those managing advertising and official brand pages.
Cybersecurity researchers at CTM360 revealed that attackers behind Meta Mirage impersonate official Meta communications, tricking users into handing over sensitive details like passwords and security codes (OTP).
The scale of this operation is alarming. Researchers have already identified over 14,000 malicious URLs, a concerning majority of which—nearly 78%—were not blocked by browsers at the time the report was published.
Cybercriminals cleverly hosted fake pages leveraging trusted cloud platforms like GitHub, Firebase, and Vercel, making it harder to spot the scams. This method aligns closely with recent findings from Microsoft, which highlighted similar abuse of cloud hosting services to compromise Kubernetes applications, emphasizing how attackers frequently leverage trusted platforms to evade detection.
The attackers deploy fake alerts about policy violations, account suspensions, or urgent verification notices. These messages, sent via email and direct messages, look convincing because they mimic official communications from Meta, often appearing urgent and authoritative. This tactic mirrors techniques observed in the recent Google Sites phishing campaign, which used authentic-looking Google-hosted pages to deceive users.
Two main methods are being used:
Credential Theft: Victims enter passwords and OTPs into realistic-looking fake websites. The attackers deliberately trigger fake error messages, causing users to re-enter their details, ensuring accurate and usable stolen information.
Cookie Theft: Scammers also steal browser cookies, allowing them continued access to compromised accounts even without passwords.
These compromised accounts don’t just affect individual businesses—they’re often exploited to run malicious advertising campaigns, further amplifying damage, similar to tactics observed in the PlayPraetor malware campaign that hijacked social media accounts for fraudulent ad distribution.
CTM360’s report also outlines a structured and calculated approach used by the attackers to maximize effectiveness. Victims are initially contacted with mild, non-alarming notifications that progressively escalate in urgency and severity. Initial notices might mention generic policy violations, while subsequent messages warn of immediate suspensions or permanent deletion of accounts. This incremental escalation induces anxiety and urgency, driving users to act quickly without thoroughly verifying the authenticity of these messages.
To protect against this threat, CTM360 recommends:
Only use official devices to manage business social media accounts.
Use separate business-only email addresses.
Enable Two-Factor Authentication (2FA).
Regularly review account security settings and active sessions.
Train staff to recognize and report suspicious messages.
This widespread phishing campaign underscores the importance of vigilance and proactive security measures to protect valuable online assets.
