X

Facebook, Messenger, Instagram and WhatsApp users targeted in phishing scheme

More than 39,000 websites pretended to be the login pages for Facebook, Messenger, Instagram and WhatsApp to trick people into entering their usernames and passwords.

Queenie Wong Former Senior Writer
Queenie Wong was a senior writer for CNET News, focusing on social media companies including Facebook's parent company Meta, Twitter and TikTok. Before joining CNET, she worked for The Mercury News in San Jose and the Statesman Journal in Salem, Oregon. A native of Southern California, she took her first journalism class in middle school.
Expertise I've been writing about social media since 2015 but have previously covered politics, crime and education. I also have a degree in studio art. Credentials
  • 2022 Eddie award for consumer analysis
See full bio
Queenie Wong
2 min read
Facebook-logo-phone-eye-4680

Facebook, now Meta, filed a lawsuit to crack down on websites that impersonated the login pages for its platforms.

 Angela Lang/CNET

Meta, formerly known as Facebook , said Monday it's suing people who are behind a phishing scheme to steal usernames and passwords from its platforms.

The lawsuit, filed in a federal court in Northern California, says that since 2019 more than 39,000 websites have been created that impersonated the login pages for Facebook, Instagram , Messenger and WhatsApp . Meta doesn't know who is behind the attack but says it's part of an effort to trick its users into entering their usernames and passwords.

The move underscores how the world's largest social network is trying to combat phishing, a practice in which attackers will create fake websites or emails to try to dupe people into providing their personal information. 

"Reports of phishing attacks have been on the rise across the industry and we are taking this action to uncover the identities of the people behind the attack and stop their harmful conduct," Jessica Romero, Meta's director of platform and litigation, said in a blog post

In July, the Anti-Phishing Working Group said it logged 260,642 phishing attacks, the highest monthly total in the group's reporting history. Phishing attacks have doubled from 2020, according to the group's report. 

The unnamed defendants used services from San Diego-based tech company Ngrok to conceal their identities and "relay internet traffic to their phishing websites in a manner that obfuscated where their websites were hosted," the 21-page lawsuit says. The lawsuit included screenshots of login pages that looked identical to the login pages for Facebook, Instagram, Messenger and WhatsApp but used Ngrok URLs. Some of the fake websites were in English and Italian. 

Ngrok founder and CEO Alan Shreve said the company works with Meta and other firms to "detect, limit, and eliminate the impact of malicious actors across each of our systems."

"At its core, Ngrok allows millions of developers to easily and securely connect anything to the internet. Unfortunately, bad actors have used this capability to launch spamming, spoofing, and phishing attacks which we detect and stop using a multi-pronged approach combining automatic detection of suspicious activities, human moderation, and external reporting," Shreve said.

Meta alleges in the lawsuit that the defendants violated the social network's terms of service, California's Anti-Phishing Act and a federal law that prohibits trademark infringement. The lawsuit doesn't say how many people were tricked into handing over their personal information.