The Unfriending Truth: How to Spot a Facebook Phishing Scam Before It's Too Late

    Tuesday, January 13, 2026 In: Threat Research Print

    Date: 01/13/2026

    Severity: High

    Summary

    As one of the world’s largest social media platforms, Facebook has over 3 billion active users. This massive user base makes it a prime target for phishing attacks. Attackers seek to hijack accounts to exploit victims and their social networks. Their objective is to steal login credentials for fraud, data theft, or scam distribution. In the second half of 2025, we observed a sharp rise in Facebook phishing campaigns. Many of these attacks used the “Browser in the Browser” (BitB) technique to mimic legitimate login pop-ups and steal credentials.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    report-copyright-metaplanet.net

    supportmeta-horizon.net

    supportmeta-horizonusa.org

    performance-guidance-hub.pages.dev

    randalli-clifford.pages.dev

    copyright-videofb.org

    secure-community-lcf4.vercel.app

    casefb126765-be7a.vercel.app

    casefb921134-lflp.vercel.app

    casefb183711-jcw7.vercel.app

    casefb814915-uzsa.vercel.app

    talentbymetaal.vercel.app

    8gu8-casefb020219.vercel.app

    ads.pageverifybusiness.cfd

    meta.user-support-business.cfd

    page.user-support-business.cfd

    ads.active-page-policy.cfd

    center.active-page-policy.cfd

    meataconnects.cfd

    eclectic-cupcake-fd4922.netlify.app

    accountcenter-lawtrackma-qer2209wrw.netlify.app

    accountcenter-forbendro-sdf2509xcv.netlify.app

    accountcenter-violacoetet-gt2609hgrr.netlify.app

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "meta.user-support-business.cfd" or url like "meta.user-support-business.cfd" or siteurl like "meta.user-support-business.cfd" or domainname like "report-copyright-metaplanet.net" or url like "report-copyright-metaplanet.net" or siteurl like "report-copyright-metaplanet.net" or domainname like "casefb126765-be7a.vercel.app" or url like "casefb126765-be7a.vercel.app" or siteurl like "casefb126765-be7a.vercel.app" or domainname like "talentbymetaal.vercel.app" or url like "talentbymetaal.vercel.app" or siteurl like "talentbymetaal.vercel.app" or domainname like "eclectic-cupcake-fd4922.netlify.app" or url like "eclectic-cupcake-fd4922.netlify.app" or siteurl like "eclectic-cupcake-fd4922.netlify.app" or domainname like "casefb183711-jcw7.vercel.app" or url like "casefb183711-jcw7.vercel.app" or siteurl like "casefb183711-jcw7.vercel.app" or domainname like "8gu8-casefb020219.vercel.app" or url like "8gu8-casefb020219.vercel.app" or siteurl like "8gu8-casefb020219.vercel.app" or domainname like "supportmeta-horizonusa.org" or url like "supportmeta-horizonusa.org" or siteurl like "supportmeta-horizonusa.org" or domainname like "casefb921134-lflp.vercel.app" or url like "casefb921134-lflp.vercel.app" or siteurl like "casefb921134-lflp.vercel.app" or domainname like "ads.pageverifybusiness.cfd" or url like "ads.pageverifybusiness.cfd" or siteurl like "ads.pageverifybusiness.cfd" or domainname like "performance-guidance-hub.pages.dev" or url like "performance-guidance-hub.pages.dev" or siteurl like "performance-guidance-hub.pages.dev" or domainname like "secure-community-lcf4.vercel.app" or url like "secure-community-lcf4.vercel.app" or siteurl like "secure-community-lcf4.vercel.app" or domainname like "center.active-page-policy.cfd" or url like "center.active-page-policy.cfd" or siteurl like "center.active-page-policy.cfd" or domainname like "meataconnects.cfd" or url like "meataconnects.cfd" or siteurl like "meataconnects.cfd" or domainname like "supportmeta-horizon.net" or url like "supportmeta-horizon.net" or siteurl like "supportmeta-horizon.net" or domainname like "accountcenter-lawtrackma-qer2209wrw.netlify.app" or url like "accountcenter-lawtrackma-qer2209wrw.netlify.app" or siteurl like "accountcenter-lawtrackma-qer2209wrw.netlify.app" or domainname like "accountcenter-violacoetet-gt2609hgrr.netlify.app" or url like "accountcenter-violacoetet-gt2609hgrr.netlify.app" or siteurl like "accountcenter-violacoetet-gt2609hgrr.netlify.app" or domainname like "randalli-clifford.pages.dev" or url like "randalli-clifford.pages.dev" or siteurl like "randalli-clifford.pages.dev" or domainname like "copyright-videofb.org" or url like "copyright-videofb.org" or siteurl like "copyright-videofb.org" or domainname like "casefb814915-uzsa.vercel.app" or url like "casefb814915-uzsa.vercel.app" or siteurl like "casefb814915-uzsa.vercel.app" or domainname like "page.user-support-business.cfd" or url like "page.user-support-business.cfd" or siteurl like "page.user-support-business.cfd" or domainname like "ads.active-page-policy.cfd" or url like "ads.active-page-policy.cfd" or siteurl like "ads.active-page-policy.cfd" or domainname like "accountcenter-forbendro-sdf2509xcv.netlify.app" or url like "accountcenter-forbendro-sdf2509xcv.netlify.app" or siteurl like "accountcenter-forbendro-sdf2509xcv.netlify.app"

    Reference:

    https://www.trellix.com/blogs/research/the-unfriending-truth-how-to-spot-a-facebook-phishing-scam/


    Tags

    MalwarePhishingFacebookExploitcredential stealers

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.