Threat Research

The Meta 2FA Trap: From Verified Badge to Account Takeover

Cofense
The Meta 2FA Trap: From Verified Badge to Account Takeover
A phishing campaign impersonating Meta uses a Gmail sender display name and Google Forms to harvest login credentials and capture 2FA tokens in real time. The campaign then uses a vercel.app-hosted phishing page to collect credentials and immediately access compromised accounts. #Meta #GoogleForms

Keypoints

  • The Cofense Phishing Defense Center identified a credential phishing scheme impersonating Meta’s verification process to target individuals and businesses.
  • Attackers use a Gmail account with the display name “Meta Verified” and an email claiming account verification to lure victims.
  • The initial click redirects victims to a Google Form used as the first step in the credential-harvesting flow.
  • After the Google Form, victims are redirected to a vercel.app-hosted landing page masquerading as Meta’s privacy/verification center.
  • The phishing flow captures passwords and then prompts victims to enter live 2FA tokens, which are harvested in real time and used to log in immediately.
  • Use of legitimate services (Google Forms, Vercel) and realistic branding are key tactics to increase victim trust and bypass basic detection.
  • Cofense’s MPDR service is recommended to help organizations detect and mitigate this type of targeted phishing campaign.

MITRE Techniques

  • [T1566.002 ] Phishing: Spearphishing Link – The campaign uses an email containing a link that redirects recipients to a Google Form to harvest credentials (‘lure recipients into clicking a Google Form and submitting their login credentials’).
  • [T1566.003 ] Phishing: Spearphishing via Service – Threat actors abuse legitimate services (Google Forms/Docs) to host convincing phishing pages and collect sensitive data (‘the document itself is legitimate, it has been crafted by the threat actor using a convincing template to mimic Meta’s verification process’).
  • [T1204.002 ] User Execution: Malicious Link – The attack relies on user interaction (clicking the embedded phishing URL) to begin the multi-stage credential collection flow (‘Embedded in the body of the email is the phishing URL redirect that goes to a Google Form’).
  • [T1583.004 ] Acquire Infrastructure: Web Services – Adversaries host phishing pages on legitimate web service providers (vercel.app) to appear credible and evade detection (‘the “vercel.app” domain is a legitimate hosting service that is commonly abused by threat actors to create phishing pages impersonating trusted brands’).
  • [T1078 ] Valid Accounts – Harvested credentials and real-time 2FA tokens are used to immediately log into and take over victim accounts (‘the token and credentials will be used to log into the user’s account almost immediately’).

Indicators of Compromise

  • [URL ] Stage 1 phishing redirect and Stage 2 payload landing pages – hXXps://forms[.]gle/cV8Fbu9eNgHpdY1dA, hXXps://verifybadge-trustix[.]vercel[.]app/privacy-center
  • [IP Address ] Observed hosting/payload IPs associated with the campaign – 199.36.158.100, 64.29.17.32, and 16.198.79.3
  • [Domain ] Legitimate service domains abused to host phishing content – verifybadge-trustix[.]vercel[.]app, forms[.]gle
  • [Email Sender Display Name ] Social engineering detail used in phishing emails – Gmail display name set to “Meta Verified” to increase perceived legitimacy

Read more: https://cofense.com/blog/the-meta-2fa-trap-from-verified-badge-to-account-takeover

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint