Security researchers spotted a phishing campaign targeting Facebook users. PDPics/Pixabay

Security researchers have spotted a new spam campaign on Facebook designed to lure unsuspecting users to phishing pages that attempt to trick them into surrendering their Facebook login credentials.

First detected by the Finnish cybersecurity firm F-Secure, the campaign has been running for about two weeks and has slowly expanded its reach. Thus far, users located in Sweden, Finland and Germany have been the primary targets of the attacks.

The campaign was discovered on October 15 in Sweden before appearing for Finnish users on October 17 and German users on October 19. According to F-Secure’s researches, the phishing attempt has already reached nearly 200,000 users.

The campaign thus far has relied upon already compromised Facebook accounts—ones that have already been hacked and were not protected by two-factor authentication—that the spammers were able to gain access to.

With those stolen accounts, the attackers have taken to publicly posting links to phishing sites in hopes of getting people to click it when it appears in their newsfeed, as well as sending links directly to friends of the compromised users through Facebook Messenger.

When the link is shared, it appears to the user to be a YouTube video. However, the attackers managed to trick Facebook’s URL preview system into displaying the wrong link information by manipulating the metadata. While the user thinks they are clicking to view a YouTube video, they are actually redirected to a site intended to steal their credentials.

The link bounces users across a number of sites, using link shortening services to hide the true destination of where the link leads to. Eventually, the user is directed to a site that is determined based on the type of device they are using.

Mobile users, including those who are operating on an Android or iOS device, are directed to a fake login page that asks for the user’s email address and password. The page has both a Facebook logo and a YouTube logo, making it somewhat confusing as to what it is posing as.

The page claimed to be a “Facebook Video Application” that just require the user to login to access. The unfortunate users who entered their username and password intending to view the supposed video shared by who they thought was their friend are likely to have their account compromised.

The attackers have continued to perpetrate the attack with each account that it compromises through it, using the stolen credentials to hijack more accounts and continue to direct the phishing links to more users.

Luckily, enabling two-factor authentication should serve as an effective deterrent to such an attack. Two-factor authentication provides a second, temporary login code sent to a device linked to the account holder. Without that login code, a person cannot login to an account even if they have the correct password.

To enable two-factor authentication on Facebook, open the Settings menu and click on SEcurity. Then click Login Approvals. Check the box next to “Require a login code to access my account from unknown browsers” to begin the process. Users will have to provide a phone number to receive the secondary code.