A sophisticated phishing operation is exploiting public transport discounts to steal financial data from Facebook users across Europe. The scam, which has been active since at least early 2024, uses compromised Facebook accounts and paid advertisements to promote fake offers from legitimate-looking transit authorities.
The attackers create posts and ads offering 50-100% discounts on monthly or annual transit passes, typically claiming the promotion is part of a 'sustainability initiative' or 'government subsidy program.' When users click, they're taken through a multi-step verification process on cloned websites that perfectly mimic official transit provider portals, complete with SSL certificates and responsive design.
Technical analysis reveals the phishing kits used in this campaign employ several evasion techniques:
- Domain generation algorithms creating new subdomains hourly
- Cloudflare protection to mask hosting infrastructure
- Form-jacking scripts that exfiltrate data in real-time
- Geofencing to only target users in specific European cities
Payment pages request full credit card details, ID scans, and sometimes even selfies with payment cards - data that enables not just financial fraud but also identity theft. Some variants install malware through fake 'ticket validation' apps distributed after the payment process.
Security teams note this campaign's effectiveness stems from its timing (launched near monthly renewal periods for transit passes) and psychological triggers (creating false urgency with 'limited availability' claims). The attackers appear to be testing different narratives, including fake COVID relief programs and 'green mobility' subsidies.
Facebook's security team has removed hundreds of these fraudulent pages, but new ones emerge constantly. The platform's ad targeting capabilities allow scammers to precisely target commuters in specific cities who follow transit-related pages.
Enterprise security recommendations:
- Implement payment card rules blocking transactions to newly registered domains
- Deploy network-level detection for known phishing kit signatures
- Conduct simulated phishing tests with similar transport-themed lures
- Monitor dark web markets for corporate card details
- Consider dedicated corporate transit payment solutions to bypass personal card use
The campaign underscores how cybercriminals are increasingly exploiting cost-of-living concerns and green initiatives in social engineering attacks. Similar tactics have recently targeted electric vehicle charging subsidies and bicycle-sharing programs.
Comentarios 0
Comentando como:
¡Únete a la conversación!
Sé el primero en compartir tu opinión sobre este artículo.
¡Inicia la conversación!
Sé el primero en comentar este artículo.