In an unusual move, Facebook’s parent company, Meta, has filed a federal lawsuit against the unknown operators of some 39,000 phishing websites that impersonated the login pages of Facebook, WhatsApp, Instagram, and Messenger to steal usernames and passwords.
The lawsuit, filed in the US District Court for the Northern District of California, seeks unspecified damages from the operators of the sites and an injunction prohibiting them from creating, operating, or maintaining any domains that spoof or are confusingly similar to any of Meta’s websites.
“This lawsuit is one more step in our ongoing efforts to protect people’s safety and privacy, send a clear message to those trying to abuse our platform, and increase accountability of those who abuse technology,” Jessica Romero, Meta’s director of platform enforcement and litigation, wrote in a blog post. “We will also continue to collaborate with online hosting and service providers to identify and disrupt phishing attacks as they occur.”
In its complaint, Meta described the operators of these phishing schemes as using a relay service provided by Ngrok Inc. to redirect traffic to their websites in a manner that obscured the location of the sites, as well as the identities of the hosting providers and the individuals themselves. Ngrok’s free service allowed the phishing operators to obtain automatically generated URLs that were subdomains of Ngrok’s domain (ngrok.io). They then distributed the URLs to victims. When victims visited the Ngrok URLs, they were redirected to the phishing websites, Meta’s complaint noted.
Ngrok’s service gave phishing operators a way to expose their websites to the Internet without having to register the URLs with a domain registration service — thereby avoiding costs and the need to provide identifying information. In addition, they also used a paid Ngrok service to obtain customized URLs that were deceivingly similar to those used by Facebook and the other impersonated websites.
Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance, says legal action such as the steps Meta has taken could prove to be invaluable in at least keeping phishing in the spotlight in the long term. While phishing might seem old school, 75% of organizations worldwide experienced a phishing attack in 2020, and 43% of breaches involved phishing or another social engineering scam, she says.
“Meta has already been engaged in a months-long proactive campaign aimed at disrupting phishers, so although this lawsuit may not be enough on its own, if it is part of a larger, ongoing, multipronged approach, there is reason to be optimistic that gains can be made,” Plaggemier says. “Moreover, the more attention Meta allocates towards anti-phishing, the more pressure will ramp up on its infrastructure partners to weed out bad actors as well.”
This is not the first time a technology company has acted against phishing operators. But in the past, legal action has typically focused on taking down the infrastructure hosting the phishing websites and not so much on the operators themselves. Last July, for instance, Microsoft obtained a court order that allowed the company to seize control of numerous domains that were used in COVID-19-related phishing scams and business email compromise attacks.
Hank Schless, senior manager of security solutions at Lookout, says it will be interesting to see how the court manages the lawsuit. “While this lawsuit alone might not have a massive effect on the frequency of phishing campaigns, it’s encouraging to see the private sector taking this problem on,” he says. “It could very well cause threat actors to at least think twice before carrying out phishing attacks, which may deter less-dedicated actors.”
Any infrastructure providers that might be involved in hosting the phishing websites are unlikely to be negatively affected, Schless says. “They provide infrastructure for paying customers, but anything built on it is usually not their responsibility.”
It’s unclear what kind of precedent Meta’s lawsuit will set. But a lot will depend on the actions that it can get from courts and how quickly the company can get them, says John Bambenek, principal threat hunter at Netenrich. “Microsoft has had some success in impacting malware operations with takedowns,” he says. “Other players getting in that game can’t hurt. In the end, getting new infrastructure is not a high bar and any remedy in civil court is a poor substitute for criminal prosecution.”
