Phishing Campaign Impersonates Facebook’s Business Manager

The video examines a phishing campaign impersonating Facebook’s Business Manager, where attackers send legitimate-looking emails from @facebook.com and business.fas.com with subject lines like "You've received a business manager partner request." These emails, received by the presenter on April 14, 19, and multiple subsequent dates, use urgency tactics—claiming accounts will be locked in 24 hours—and embed malicious URLs in the sender’s business name. The phishing sites, hosted on domains like signup.agy-partner.community and Shieldxmarketing-partner-join.com, employ Cloudflare and Vercel’s Next.js framework, with many already offline by the time of analysis. One active site mimicked Meta’s interface, collecting credentials via a fake form that exfiltrated data to a Telegram bot through an encrypted API endpoint (/api/client-extend), using CryptoJS for OpenSSL-based encryption with a hardcoded passphrase. The presenter demonstrated decrypting captured base64 payloads in Kali Linux using Node.js, revealing stolen inputs like passwords and 2FA codes. While the email template was rated highly convincing (B+ or A), the phishing sites were poorly executed, lacking functional links and validation, and were flagged by Gmail post-delivery. Similar reports surfaced on Reddit around the same timeframe, indicating a widespread campaign.