Description

A newly uncovered phishing campaign is targeting Meta Business account holders by impersonating official Instagram emails, falsely claiming that advertising accounts have been suspended due to policy violations. According to the Cofense Phishing Defense Center (PDC), attackers use subject lines like “Critical Advertising Restrictions on Your Account” to create urgency and trick users into clicking a malicious link. Victims are redirected to fraudulent Meta-like login pages hosted on deceptive domains, such as business help-manager[.]com, where they unknowingly submit their credentials. The attackers then use these stolen details to gain unauthorized access to Meta Business accounts, potentially hijacking advertising budgets and sensitive business data. The phishing scheme goes beyond simple credential theft, employing fake chat support services to further manipulate victims. After entering their login details, users are engaged through a chatbot that mimics Meta’s official customer support. The attackers request sensitive account details, such as screenshots of business settings, to deepen their access. Additionally, victims are tricked into setting up fraudulent Two-Factor Authentication (2FA) using a malicious app called "SYSTEM CHECK." This app secretly registers attacker-controlled devices as trusted login methods, ensuring persistent access to compromised accounts. If users do not interact with the fake chatbot, attackers provide step-by-step "self-help" instructions that lead to the same outcome—allowing them to bypass security measures and take full control of accounts. This campaign highlights highly sophisticated social engineering tactics designed to deceive even cautious users. Security experts advise businesses and individuals managing social media ad accounts to scrutinize sender addresses, verify URLs before clicking links, and remain skeptical of urgent security-related emails. Users should avoid engaging with unexpected customer support requests and report suspicious activity to Meta immediately. As phishing campaigns targeting social media credentials become more advanced, enhanced vigilance and proactive security measures are essential to preventing unauthorized account takeovers.