Marketing on Meta-owned platforms have become part and parcel for many organizations. Threat actors are keenly aware of this and often craft phishing attacks looking to capitalize on this fact. Our analysts frequently run across phishing emails attempting to leverage Meta ads in one way or another.

Recently, an interesting Meta ad violation campaign targeted many users claiming that their ad accounts had been temporarily disabled with the goal of stealing their Meta credentials.

The “SUBMIT” link leads to a Meta branded page, hosted on Google’s web�.]app domain, which includes a captcha checkbox and Meta branding.

Continuing to the next page includes a fictitious report number and requires some basic information to begin the rebuttal process on this ad violation and collects basic personal information.

After agreeing to the terms with the checkbox on and clicking “Submit” a password prompt is displayed. By design the page will always state an incorrect password was entered to farm all possible passwords from a victim.