Cyber News

Beware – Fake Facebook Login Page Targets Users in Latest Phishing Scam

Cyber-security analysts are warning of a sophisticated credential-harvesting campaign that combines a deceptive “I’m not arobot” CAPTCHA prompt with a Browser-in-the-Browser (BitB) overlay to mimic Facebook’s login window.

The multi-stage lure is designed to harvest account credentials and session cookies from unsuspecting users.

How the Attack Unfolds

Malicious Redirect
Users typically encounter the scam after clicking a shortened or obfuscated link in social-media DMs, paid ads, or SEO-poisoned Google results. The URL often points to a compromised WordPress site that immediately issues a 302 redirect to an attacker-controlled domain hosting the phish.
Fake CAPTCHA Gate
The landing page presents a Google-branded reCAPTCHA Enterprise widget. Unlike real CAPTCHA served from .google.com, the iframe source here is cdn-recaptcha-validation[dot]com, a look-alike domain registered two months ago and hosted on a bulletproof ASN in Russia. Pressing the “I’m not a robot” checkbox triggers JavaScript that records browser fingerprint data (user agent, language, timezone, and WebGL hashes) and forwards it to the C2 server.
Browser-in-the-Browser Overlay
If the fingerprint passes basic anti-bot checks, victims see a pop-up that perfectly mimics Chrome’s window chrome, including rounded corners, drop shadows, and even a fabricated address bar set to https://www.facebook.com/login.php. This BitB window is implemented with HTML <div> elements styled via CSS transform: scale(0.94) to appear slightly smaller than the parent viewport—creating the illusion of a separate browser dialog.
Credential Theft
Submitted email-password pairs are POSTed to /gate.php on the attacker domain and immediately validated via the Facebook Graph API. Successful logins trigger the server to request a 2FA code or backup recovery tokens, which the page then re-prompts the user to enter. Stolen session cookies are shipped to a Telegram bot for real-time hijacking.

Technical Indicators

Artifact	Details
Registrar	Namecheap, created: 2025-07-03
Malicious domains	cdn-recaptcha-validation[.]com, fb-login-secure[.]net
C2 IP	185.180.199.54 (AS9009, M247)
JS libraries	fingerprintjs-pro, sweetalert2 (modified), CryptoJS
SHA-256 of main JS	9f3b8e6d9e8f4b7c3d0a12f4e6f9871b0e1c8d5b3a1f9576b1e4ab3c7d9e8f6

Why BitB Works

BitB attacks exploit users’ trust in familiar UI chrome. Because the “window” resides entirely within the current tab, it bypasses browser defenses, such as anti-spoofing in the address bar and certificate indicators.

Security-conscious users who typically hover over URLs may still be fooled—the forged bar displays a valid padlock icon rendered from Feather icons.

Mitigation Tips

Enable Facebook’s “login alerts” and review recognized devices weekly.
Deploy enterprise SSO with WebAuthn hardware keys; BitB cannot steal private keys stored on YubiKeys.
Train employees to drag dubious pop-ups outside the browser viewport; genuine modal dialogs cannot leave the tab area.
Block newly registered domains (<30days) at the gateway to thwart fast-flux phishing infrastructure.

Outlook

Researchers at Huntress Labs note that the kit’s codebase overlaps with last year’s Steam BitB campaign, suggesting a commoditized phishing-as-a-service model.

With CAPTCHA gates lowering suspicion and BitB windows bypassing visual checks, hybrid lures like this are expected to proliferate.

Until browsers can cryptographically bind window chrome to origin, user vigilance and strong, phishing-resistant authentication remain the best defense.

Priya