Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Meta business accounts increasingly being hit by cyberattacks

In this photo illustration, the Meta Platforms, Inc. logo is displayed on a smartphone screen.

Meta business accounts are being increasingly hit by cyberattacks, as threat actors look for easy ways to run malvertising campaigns, experts have warned. 

A report from Cofense has detailed a brand new campaign, powered by a potent phishing kit, aimed at owners of Meta (Facebook, essentially) Business accounts.

These differ from consumer-facing accounts, as they are designed to enable businesses, brands, organizations, and public figures to manage their presence, engage with their audience and, most importantly, run advertising campaigns.

"Classic" phishing

Since all advertising campaigns need to go through some form of audit (usually automated and quite possibly AI-powered), business accounts with a history of successful campaigns have a higher chance of being cleared, even for malvertising. That makes them a popular target among cybercriminals. What’s more, business accounts often have credit cards linked to them as well, allowing threat actors to run malvertising campaigns at someone else’s expense.

But most business accounts nowadays are also protected with multi-factor authentication (MFA), a second authentication step that makes it harder for hackers to steal them. A new phishing kit, detailed by Cofense in its report, allows the adversaries to bypass this step, too.

It all starts with a phishing email, which bypasses spam filters, and lands straight into the inbox. The email claims a recent ad campaign violated Meta’s policy, and that urgent information verifications are necessary for the campaign, and the account itself, to not get terminated. As expected with phishing emails, this one offers a link to “verify” account information, which redirects users to a fake Facebook login page. There, the attackers can grab not just login credentials, but MFA codes, as well.

Defending against phishing emails is relatively simple, and starts by double-checking the sender address (it’s almost never the same as the legitimate domain). Furthermore, authentic emails will almost never demand urgent user action, and will not threaten account termination in such a way.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.