PaaS| CERT.LV discovered what identified to be a link to a “URL shortener” service or a Facebook (FB) phishing page enclosed within a suspicious post in a FB Group.

While investigating this phishing site, a more complex service generating FB and other popular service (e.g. Fortnite) phishing sites was discovered.

This “Phishing Generator Service”, provides to potential “lazy” attackers a “phishing as a service” tool to automate the technical operations required to generate phishing sites and carry out campaigns to steal user data and credentials.

As a bonus, a dashboard is provided for the attackers showing:
- Top 3 users who have gathered the most password in the last 24h;
- Phishing sites generated by other users of the phishing service.

The threat actor manages to get FB data of new accounts as the attackers actively use the framework. 
The spread of links to phishing sites occurs through a set of compromised accounts.

From the attacker’s perspective, the operations are the following:
- The attacker logs into the service and with just a click generates a link to a new phishing site
- The attacker can customise the site appearance with images and button names, to his liking
- Service will provide the new URL: http(s)://some.compromised.web/[base64_string]