The Facebook parent company seeks court's help in identifying the individuals behind some 39,000 websites impersonating its brands to collect login credentials.

4 Min Read
Meta logo
Source: Rokas Tenys via Shutterstock

In an unusual move, Facebook's parent company, Meta, has filed a federal lawsuit against the unknown operators of some 39,000 phishing websites that impersonated the login pages of Facebook, WhatsApp, Instagram, and Messenger to steal usernames and passwords.

The lawsuit, filed in the US District Court for the Northern District of California, seeks unspecified damages from the operators of the sites and an injunction prohibiting them from creating, operating, or maintaining any domains that spoof or are confusingly similar to any of Meta's websites.

"This lawsuit is one more step in our ongoing efforts to protect people's safety and privacy, send a clear message to those trying to abuse our platform, and increase accountability of those who abuse technology," Jessica Romero, Meta's director of platform enforcement and litigation, wrote in a blog post. "We will also continue to collaborate with online hosting and service providers to identify and disrupt phishing attacks as they occur."

In its complaint, Meta described the operators of these phishing schemes as using a relay service provided by Ngrok Inc. to redirect traffic to their websites in a manner that obscured the location of the sites, as well as the identities of the hosting providers and the individuals themselves. Ngrok's free service allowed the phishing operators to obtain automatically generated URLs that were subdomains of Ngrok's domain (ngrok.io). They then distributed the URLs to victims. When victims visited the Ngrok URLs, they were redirected to the phishing websites, Meta's complaint noted.

Ngrok's service gave phishing operators a way to expose their websites to the Internet without having to register the URLs with a domain registration service — thereby avoiding costs and the need to provide identifying information. In addition, they also used a paid Ngrok service to obtain customized URLs that were deceivingly similar to those used by Facebook and the other impersonated websites. 

Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance, says legal action such as the steps Meta has taken could prove to be invaluable in at least keeping phishing in the spotlight in the long term. While phishing might seem old school, 75% of organizations worldwide experienced a phishing attack in 2020, and 43% of breaches involved phishing or another social engineering scam, she says.

"Meta has already been engaged in a months-long proactive campaign aimed at disrupting phishers, so although this lawsuit may not be enough on its own, if it is part of a larger, ongoing, multipronged approach, there is reason to be optimistic that gains can be made," Plaggemier says. "Moreover, the more attention Meta allocates towards anti-phishing, the more pressure will ramp up on its infrastructure partners to weed out bad actors as well."

This is not the first time a technology company has acted against phishing operators. But in the past, legal action has typically focused on taking down the infrastructure hosting the phishing websites and not so much on the operators themselves. Last July, for instance, Microsoft obtained a court order that allowed the company to seize control of numerous domains that were used in COVID-19-related phishing scams and business email compromise attacks.

Hank Schless, senior manager of security solutions at Lookout, says it will be interesting to see how the court manages the lawsuit. "While this lawsuit alone might not have a massive effect on the frequency of phishing campaigns, it's encouraging to see the private sector taking this problem on," he says. "It could very well cause threat actors to at least think twice before carrying out phishing attacks, which may deter less-dedicated actors."

Any infrastructure providers that might be involved in hosting the phishing websites are unlikely to be negatively affected, Schless says. "They provide infrastructure for paying customers, but anything built on it is usually not their responsibility."

It's unclear what kind of precedent Meta's lawsuit will set. But a lot will depend on the actions that it can get from courts and how quickly the company can get them, says John Bambenek, principal threat hunter at Netenrich. "Microsoft has had some success in impacting malware operations with takedowns," he says. "Other players getting in that game can't hurt. In the end, getting new infrastructure is not a high bar and any remedy in civil court is a poor substitute for criminal prosecution." 

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights