21-05-2025
Meta And PayPal Users Warned Of Instant Account Takeover Attack
Beware this instant account takeover attack.
Oh boy, here we go again: another hacking campaign that security experts say is surging, and this one can see your Meta or PayPal account compromised in real-time and almost instantly. While attacks against the Meta family, such as the newly reported automated checker threat to Instagram users, or the 48-hour security alert targeting PayPal accounts, are not uncommon, this latest one is particularly alarming given the delivery method and the speed at which it can strike. The campaign combines everything from polymorphic identifiers, advanced man‑in‑the‑middle proxy mechanisms and two-factor authentication bypass techniques into one razor-sharp threat. A threat that can harvest your password and 2FA codes, compromising your account in a heartbeat. Here's what you need to know.
I have been given an advanced look at a new report to be published by KnowBe4 on May 23 and permission to warn my readers ahead of that date, as the threat is really rather alarming. If you will excuse the Joker reference, why so serious? The dangerous attack is, I am reliably informed, surging for one. For a second, it's being described as one of the most sophisticated Meta-themed phishing campaigns ever, courtesy of its ability to take over an account almost instantly. Thirdly, the emails that are being deployed in this campaign are sent using a legitimate Google-owned domain. And fourthly, in just a single day, KnowBe4 has confirmed that 11% of all the global email threats it neutralised were sent from this domain, and 98% of them impersonated Meta, the remainder impersonated PayPal.
The KnowBe4 Threat Labs report will be worth a read in full on Friday, but here's my advance TL;DR version. The phishing threat is exploiting Google's AppSheet platform, its workflow automation processes enabling the attackers to not only operate at scale, but use a trusted and legitimate domain, noreply@ so as to bypass protections relying upon strict domain authentication and reputation checks. Although the vast majority of the campaign emails were impersonating Meta, a small percentage also targeted PayPal users. It should come as absolutely no surprise that urgent warnings about account security are employed by the attackers, leveraging fear of compromise to, oh, the horrible irony, enable account compromise.
The aim is to get the reader to click a malicious 'submit an appeal' link. If they do, then they are redirected to the guts of the hacking campaign, where passwords and 2FA codes can be stolen. A double-prompt is also used, with the fake site falsely claiming the first attempt was incorrect. KnowBe4 said that this is to encourage accurate entry of credentials, introduce confusion to impact critical thinking and allow the attacker to compare both inputs for added validity.
I have reached out to Google, Meta and PayPal for a statement.
