A newly discovered phishing campaign, dubbed "Meta Mirage," is targeting businesses using Meta's Business Suite, aiming to hijack high-value accounts that manage advertising and official brand pages.

Cybersecurity researchers at CTM360 have uncovered over 14,000 malicious URLs associated with this operation, with nearly 78% evading browser blocks at the time of their report. Attackers impersonate official Meta communications, using trusted cloud platforms like GitHub, Firebase, and Vercel to host convincing fake pages, making detection difficult. These tactics echo recent findings from Microsoft and the Google Sites phishing campaign, where cybercriminals exploit reputable platforms to deceive users.

The Meta Mirage campaign employs two primary methods: credential theft and cookie theft. Attackers send fake alerts about policy violations, account suspensions, or urgent verification needs via email and direct messages, mimicking Meta’s authoritative tone to create urgency. Victims are lured to realistic-looking websites where they enter passwords and security codes, often prompted to re-enter details due to deliberate fake error messages. Additionally, stolen browser cookies allow attackers to maintain access to compromised accounts without passwords. These accounts are then exploited to run malicious advertising campaigns, amplifying the damage, similar to tactics seen in the PlayPraetor malware campaign.

To combat this threat, CTM360 recommends using official devices and separate business-only email addresses for managing social media accounts, enabling two-factor authentication (2FA), regularly reviewing account security settings, and training staff to spot suspicious messages. The attackers’ calculated approach—starting with mild notifications that escalate to urgent threats of account deletion—exploits user anxiety to maximize effectiveness. This widespread campaign highlights the critical need for vigilance and proactive security measures to safeguard valuable online assets.