{“lastseen”:”2025-08-07T14:12:45″,”description”:”A few weeks ago we warned our readers of a phishing campaign targeting Instagram users that didn\u2019t resort to the usual links to phishing websites, but used mailto: links instead. Now, it seems that these scammers have turned their attention to Facebook users.\\n\\nIt works like this: The target receives an email saying that your Facebook account was logged into from a new device. Even though the subject line says \u201cWe’ve Received a request to Reset your password for Facebook Account !\u201d\\n\\n \\n\\n\\u003e \u201cA user just logged into your Facebook account from a new device iPhone 14 PRO Max. We are sending you this email to verify it’s really you.\u201d\\n\\nAll the links you see in the email: \u201cReport the user\u201d, \u201cYes, me\u201d, \u201cunsubscribe\u201d, and even the obfuscated email address at the bottom, do exactly the same thing.\\n\\nThey open your default email program with a pre-addressed message with a subject line that matches the button\/text you clicked on.\\n\\nThe email addresses these messages will be sent to are the same as the ones we saw with the Instagram phish:\\n\\n * `prestige@vacasa[.]uk.com` (typosquat of vacasa.com vacation rentals)\\n * `ministry@syntec[.]uk.com` (typosquat of syntechnologies.co.uk hardware provider)\\n * `technique@pdftools[.]com.de` (typosquat of pdf-tools.com software provider)\\n * `service@boss[.]eu.com` (several possibilities)\\n * `threaten@famy[.]in.net` (science news site, possibly compromised)\\n * `difficulty@blackdiamond[.]com.se` (known malicious domain)\\n * `anticipation@salomonshoes[.]us.com` (typosquat of salomon.com running shoes)\\n\\n\\n\\nThis is kind of surprising since we found last time that several of the addresses were unresponsive.\\n\\n\\n\\nThe unusual Top-Level Domains (TLDs) like uk.com, com.de, eu.com, com.se, and us.com are actually second-level domain extensions operated by private entities, not official country-code top-level domains.\\n\\nThough these domain extensions themselves are legitimate registration services, their openness and global accessibility mean they can be misused by phishers and other cybercriminals to make them look more legitimate or country-specific than generic .com domains. They may also be used to typosquat legitimate domains.\\n\\n## How to avoid Facebook phishing\\n\\nSince we can expect to see more phishing campaigns that use mailto: links, here are some tips to avoid falling victim to such a scam.\\n\\n * As with regular links, scrutinize the destination of an email link. Even if the domain looks legitimate, your Facebook account isn\u2019t secured by a shoe maker or vacation provider, or someone using a gmail address. The email address should be one that belongs to Facebook or Meta.\\n * Remember that legitimate companies will not ask you to mail them your account details, credentials, or other sensitive information.\\n * If there\u2019s an urgency to respond to an email, take a pause before you do. This is a classic scammer trick to get you to act before you can think.\\n * Don\u2019t reply if the warning looks suspicious in any way. Sending an email will tell the phishers that your email address is active, and it will be targeted even more.\\n * Do an online search about the email you received, in case others are posting about similar scams.\\n * Use Malwarebytes Scam Guard to assess the message. It will tell you whether it\u2019s a scam or give you tips how you can find out if it isn\u2019t sure.\\n\\n\\n\\n**We don ‘t just report on threats – we help protect your social media**\\n\\nCybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.”,”published”:”2025-08-07T12:31:34″,”modified”:”2025-08-07T12:31:34″,”type”:”malwarebytes”,”title”:”Facebook users targeted in \\u0026#8216;login\\u0026#8217; phish”,”source”:””,”references”:””,”id”:”MALWAREBYTES:3A37EE617EDA6A0E95059E2E8A3B71E5″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2025\/08\/facebook-users-targeted-in-login-phish”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-07T14:12:45″,”description”:”A few weeks ago we warned our readers of a phishing campaign targeting Instagram users that didn\u2019t resort to the usual links to phishing websites,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-10055","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n