Meta (Facebook) sues operators of 39,000 phishing sites

Meta, the parent company for Facebook, Instagram, and WhatsApp, has filed a lawsuit today in a California court against the operators of more than 39,000 phishing sites that have been hosted through the Ngrok service.

The company is seeking to obtain a court injunction and damages of at least $500,000 from the operators of these sites, even before they are identified, according to court documents obtained by The Record.

The lawsuit alleged that the group created phishing sites on their local systems and then used Ngrok, a localhost-to-internet relay service that allows developers to expose their local sites on the ngrok.io domain.

The group then spread links to these ngrok.io domains to victims and collected their account credentials.

Meta said that since 2019, the operators of this scheme—listed in court documents as 100 unnamed John Does—are believed to have created and hosted more than 39,000 phishing sites impersonating the login pages of Facebook, Messenger, Instagram, and WhatsApp.

"Starting in March 2021, when the volume of these attacks increased, we worked with the relay service to suspend thousands of URLs to the phishing websites," Jessica Romero, Meta's Director of Platform Enforcement and Litigation, said in a blog post today.

Lawsuit described as "interesting tactic"

But the lawsuit in itself is just weird. In an email today, Crane Hassold, Director of Threat Intelligence at Abnormal Security, described Meta's lawsuit as an "interesting tactic."

"We've seen other large companies in the past, like Microsoft, use civil lawsuits to try and mitigate phishing threats, but those efforts were usually aimed at the infrastructure hosting phishing sites, rather than targeting anonymous actors like we're seeing in this Facebook lawsuit," Hassold said.

The lawsuit isn't the first of its kind, however, as some companies have also sued in the past to obtain court injunctions to prevent ransomware gangs from leaking their data.

Such court rulings can help companies that have been the victims of a ransomware gang force hosting providers to take down data faster, having a legal document in hand.

However, this is the first lawsuit filed against phishing site operators, but not filed against one singular gang, but all those who rely on a particular scheme—namely, using Ngrok as a relay system to temporarily host phishing sites.

The simplicity of setting up a local site and then funneling it through a temporary Ngrok domain is also why the service has gained a massive popularity with phishing groups in recent years, having also often been used to host phishing sites with 2FA interception capabilities for Google and YouTube sites as well, so it is no surprise that Facebook is also dealing with the same issues.

Lawsuit won't achieve anything but will create legal precedent

This also comes as, according to Hassold, the number of Meta-property phishing sites (Facebook, WhatsApp, Instagram) had increased substantially in recent years, consistently appearing among the most-phished brands in the world, which would explain Meta's new legal gymnastics.

"Well-known brands are diligent about protecting their brand, even against phishing threat actors," Tonia Dudley, Strategic Advisor at Cofense, also told The Record in an email.

"As far as this lawsuit having an impact on the threat actors, I suspect this legal action by Facebook is most likely aimed at setting a precedent that they will go after threat actors using their brand/name, while also showing they have the capability to identify who is behind the phishing campaigns," Dudley added.

Hassold also echoed the Cofense exec's conclusion.

"Based on the content of the lawsuit, however, I don't see anything that would trigger a noticeable impact to the actual frequency of phishing attacks abusing Facebook's brands," Hassold said.