A sophisticated phishing campaign has recently emerged, targeting Facebook users with carefully crafted emails designed to harvest login credentials.<\/p>\n
Attackers leverage the platform\u2019s own external URL warning system to cloak malicious links, presenting URLs that appear legitimate while redirecting victims to counterfeit Facebook login pages.<\/p>\n
The initial lure arrives as an urgent security notification, warning users of \u201cunauthorized access attempts\u201d or prompting them to verify account activity.<\/p>\n
The email\u2019s design closely mirrors Facebook\u2019s styling, complete with social media icons and footer disclaimers, creating a sense of authenticity and leading recipients to click without hesitation.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjNU010LXbxMHIiB1dy2Zw9OwxQ3PjdvJvt6l2IRcNkbDtJCZQ59eXY65PgF7bi2CsCRah8aXUEGiJvjlMH-zXdLBo_Nk1dTOhU8TAzk7BBbXmwKYcTvHAFhoAQOlux7uVkpYlzVikmpjGk7o8InZSLUhqcJ6tR8CiGf4FSTERuRVVW6GNMzoDWCwl2sGk\/s16000\/Phishing%2520%28Source%2520-%2520X%29.webp?ssl=1\")
The campaign\u2019s reach spans multiple languages, including English, German, Spanish, and Korean, broadening its potential victim pool.<\/p>\n
Phishing URLs consistently follow a pattern of benign domains forwarded through Facebook\u2019s redirector service (e.g., httpst.co\/MS24b2xu6p), which then reroute to attackers\u2019 infrastructure.<\/p>\n
SpiderLabs analysts identified<\/a> this technique after examining dozens of email samples, noting how the redirect mechanism both evades link scanners and bypasses user suspicion.<\/p>\n Victims who follow the link encounter a near-perfect replica of Facebook\u2019s login interface, where credentials submitted are immediately exfiltrated to a command-and-control server.<\/p>\n On successful submission, the fake portal executes a brief JavaScript snippet to display an \u201cIncorrect password\u201d error, prompting users to re-enter their details\u2014unwittingly supplying attackers with valid credentials on the second attempt.<\/p>\n The harvested data includes email<\/a> addresses, phone numbers, and passwords, which are stored in a PHP backend script for later retrieval by threat actors.<\/p>\n The core innovation of this phishing campaign lies in its abuse of Facebook\u2019s external URL warning system as an infection mechanism.<\/p>\n \u2014 SpiderLabs (@SpiderLabs) September 17, 2025<\/a>\n<\/p><\/blockquote>\nRedirect-Based Infection Mechanism<\/strong><\/h2>\n
\n
![\"\ud83d\udea8\"](\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/16.0.1\/72x72\/1f6a8.png?ssl=1\")
#PhishingAlert<\/a>: We spotted a new #Facebook<\/a> #phishing<\/a> campaign abusing the platform\u2019s external URL warning system (https:\/\/t.co\/MS24b2xu6p<\/a>). Attackers use this redirect to make links appear legitimate, luring victims to fake login portals that harvest credentials. Emails are\u2026 pic.twitter.com\/YexCmbIl9z<\/a><\/p>\n