A newly discovered phishing campaign is exploiting Facebook’s external URL warning feature to dupe users into handing over their login credentials.
By abusing Facebook’s “You’re about to leave Facebook” redirect mechanism, attackers can conceal malicious URLs behind the social media giant’s official domain and graphic style—making the lure appear bona fide even to cautious users.
Facebook introduced its external link warning page to protect users from inadvertently navigating to potentially harmful websites.
When a user clicks a link that directs them off Facebook’s domain, they see an interstitial page reading “You’re going to a link outside Facebook” with a “Continue” button.
In this phishing campaign, attackers embed the actual malicious destination URL as the “u” parameter in Facebook’s redirect link.
Security researchers at Trustwave MailMarshal SpiderLabs uncovered emails that redirect victims through legitimate-looking Facebook warning pages before landing them on counterfeit login portals.
For example, a link formatted as https://www.facebook.com/flx/warn/?u=https%3A%2F%2Fdomain.com prompts the official warning page, but pressing “Continue” takes the victim to the attacker-controlled site.
Because the initial click and warning page both show facebook.com in the address bar, recipients are more likely to trust the link and proceed.
Emails impersonating Facebook account security team warn users of urgent verification requirements or account suspension if they fail to comply.
The subject lines mimic genuine security alerts—“Your Account Will be Limited Without Verification” or “Security Alert: Unusual Login Attempt”—and the body copy features Facebook branding, including logos, footers, and stylized “Verify Now” buttons.
Hovering over links often reveals the facebook.com domain, lulling users into a false sense of security before the redirect occurs.
Multilingual Targeting and Social Engineering
Trustwave MailMarshal SpiderLabs reports the phishing emails are sent in multiple languages, including English, German, Spanish, and Korean, to broaden geographic reach.
Each language variant uses urgent, fear-inducing prompts: unrecognized login attempts, account restrictions, or enforced password resets.
Social engineering tactics add urgency, warning that failure to act within 24 hours will result in account deactivation.
The attackers register new domains daily to evade spam filters and blacklists, often choosing names that resemble Facebook’s corporate branding or combine popular subdomains with slight typos.
After following the redirect, victims encounter a page that mimics Facebook’s login interface. The counterfeit login portal replicates the exact layout found at facebook.com/login, including input fields for email or phone number, password fields, and the “Log In” button. Subtle differences in the URL—often a random alphanumeric string or slight misspelling—are displayed too briefly for most victims to notice.
Submitted credentials are harvested in real time and forwarded to the attacker’s command-and-control server, enabling immediate account takeover or further exploitation.
Mitigations
Organizations and individual users can take several steps to defend against this sophisticated phishing scheme.
First, educate employees and personal contacts about the abuse of legitimate redirects. Users should inspect the destination URL post-redirect rather than relying solely on the pre-redirect domain.
Second, implement multi-factor authentication (MFA) for all Facebook and email accounts. Even if credentials are compromised, MFA can prevent unauthorized access.
Third, deploy email security gateways capable of rewriting or quarantining links containing suspicious redirect parameters.
Advanced threat intelligence feeds can help identify newly registered domains that masquerade as trusted brands.
In addition, security teams should monitor for spikes in spoofed messages claiming to be from Facebook, and update URL filtering policies to flag facebook.com/flx/warn patterns.
End users can report phishing attempts directly through Keeping browsers and anti-phishing extensions up to date will also help detect forged login pages.
As phishing campaigns continue to evolve, leveraging the very security features designed to protect users, vigilance remains critical. By combining user awareness training, robust authentication controls, and proactive email filtering, organizations can reduce the risk posed by these deceptive attacks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
