MA-977.102023: MyCERT Alert - Fake Midvalley Shopping Mall Facebook Message Containing a Fake Website

  • 30 Oct 2023
  • Alert
  • facebook, ads, phishing

1.0 Introduction

MyCERT observed lately that there’s been a surge of scam ads promoting various products and promotions on the popular social media platform by Meta, Facebook. 

The ads are created by various Facebook pages impersonating legitimate individuals and brand names claiming to run discounted sales and promotions. One recent observed ad is impersonating Mid Valley Megamall, a popular shopping mall in Malaysia and is claiming to run a promotion for Dior Sauvage perfumes.

The ads typically lead to a different website which asks you to complete a survey, fill in delivery address, or sensitive banking details.

The concerned phishing Facebook ad related to this threat is shown in Figure 1.

The modus operandi used by the Threat Actor is shown below:

  1. A potential victim will saw an advertisement in their Facebook account.
  2. From the tempting online offer, victim will click the phishing link (hXXp[:]//www.midvalleymy[.]website/diorsauvagebigsale).
  3. On the phishing site, once the victim clicked on Buy Now, they are require to fill in delivery address.
  4. The phishing site claimed that Order is Confirmed, delivery will be made within 3-5 days, and victim require to make payment upon receipt. 
  5. By this stage, the threat actor has obtained personal data, or Personally Identifiable Information (PII) – which is an information connected to a specific individual that can be used to uncover individual’s identity. 
  6. Below are screenshots of different phishing sites, (hXXp[:]//www.diorofficial[.]online/missdiorbigsale) and (hXXp[:]//www.diorofficial[.]online/diormenssummer) but with the same modus operandi.
  7. As of writing, the phishing sites are still active. MyCERT has notified the hosting provider to investigate and take appropriate action towards the phishing sites.