The lawsuit, filed in a federal court in Northern California, says that since 2019 more than 39,000 websites have been created that impersonated the login pages for Facebook, Instagram, Messenger and WhatsApp. Meta doesn’t know who is behind the attack but says it’s part of an effort to trick its users into entering their usernames and passwords.
The move underscores how the world’s largest social network is trying to combat phishing, a practice in which attackers will create fake websites or emails to try to dupe people into providing their personal information.
“Reports of phishing attacks have been on the rise across the industry and we are taking this action to uncover the identities of the people behind the attack and stop their harmful conduct,” Jessica Romero, Meta’s director of platform and litigation, said in a blog post.
In July, the Anti-Phishing Working Group said it logged 260,642 phishing attacks, the highest monthly total in the group’s reporting history. Phishing attacks have doubled from 2020, according to the group’s report.
The unnamed defendants used services from San Diego-based tech company Ngrok to conceal their identities and “relay internet traffic to their phishing websites in a manner that obfuscated where their websites were hosted,” the 21-page lawsuit says. The lawsuit included screenshots of login pages that looked identical to the login pages for Facebook, Instagram, Messenger and WhatsApp but used Ngrok URLs. Some of the fake websites were in English and Italian.
Ngrok founder and CEO Alan Shreve said the company works with Meta and other firms to “detect, limit, and eliminate the impact of malicious actors across each of our systems.”
“At its core, Ngrok allows millions of developers to easily and securely connect anything to the internet. Unfortunately, bad actors have used this capability to launch spamming, spoofing, and phishing attacks which we detect and stop using a multi-pronged approach combining automatic detection of suspicious activities, human moderation, and external reporting,” Shreve said.
Meta alleges in the lawsuit that the defendants violated the social network’s terms of service, California’s Anti-Phishing Act and a federal law that prohibits trademark infringement. The lawsuit doesn’t say how many people were tricked into handing over their personal information.