Solutions
By Platform
DarkArmor

Enterprise-level Prebreach Technology

ProtectMe

Research and personal security

By Industry
Retail

Customer, supply chain, and vendor access protection

Education

Protect staff and student credentials, brand, and reputation

All Solutions
Why Us
About Us
Blog
Contact

Vietnamese Phishers Target Meta Business Owners with Over 400 Phish Pages

On November 23, 2024, our researchers uncovered a phishing campaign targeting Meta business account owners. Vietnamese threat actors, referred to as quyetnd288, created over 400 phishing sites aimed at stealing login credentials.

Written by
Nguyen Nguyen
on
November 24, 2024

The campaign exploited Meta’s terms of service, claiming that the targeted business accounts were flagged for deletion due to violations. Victims were prompted to submit their credentials and provide an explanation to keep their business pages active. This highlights the increasing sophistication and danger of targeted phishing campaigns against users of major platforms.

The Campaign’s Tactics

The attackers utilized a well-coordinated strategy to lure Meta business owners into providing their sensitive data:

  • Phishing Pages: Over 400 fake websites mimicked Meta’s Business Manager. These pages featured professional designs to appear authentic.
  • Social Engineering: The attackers exploited fear and urgency, encouraging victims to send their credentials and reasons for the false claim.

Figures 1 and 2 illustrate the phishing pages and their deceptive lures.

quyetnd288-page
Figure 1: Phish Page
quyetnd22-appeal-form
Figure 2: Phish Appeal Form

Infrastructure

The phishers utilized various web hosting platforms to deploy their phishing sites. Figure 3 presents a chart detailing the infrastructure employed by the attackers.

quyetnd288-Domains
Figure 3: Infrastructures

Phish Victims

We observed over 600 victims affected by these campaigns. The cybercriminals targeted businesses worldwide. Figure 4 provides an overview of the victims categorized by country.

quyetnd288-victims
Figure 4: Victim's countries

Potential Phish Owner

Our analysis of the phishing sites revealed that the captured data is transmitted to a Telegram channel managed by two users, @Tigerok3001 and @vlxx12312. Figure 5 illustrates the communication points utilized by the phishing operations.

Quyetnd288 - Phish C2
Figure 5: Phish C2

During our observation of the phishing activities, we discovered that the attackers initially deployed and tested their phishing kit at

http://103.186.67[.]50/intest.html

Analysis of the traffic revealed that one victim submitted the name “Nguyễn Đình Quyết” along with the email address quyetnd288@gmail.com. This name and email address were repeatedly used across multiple test phishing infrastructures, suggesting their involvement in the campaign’s early stages.

Indicators of Compromise

Below are the indicators of compromise (IOCs) we have identified so far:

https://github.com/cyberarmortech/iocs/blob/main/quyetnd288.txt

About the Author

Nguyen Nguyen

Nguyen is a seasoned cybersecurity leader with over 15 years of experience in software engineering, malware research, and cyber threat intelligence.

Read More...

August 4, 2025
How a Nigerian Hacker Uses AI to Build Cybercrime Tools and Launch Phishing Attacks

Our platform collected and analyzed over 3,000 screenshots from a Nigerian-based cybercriminal, giving a special behind-the-scenes look into the daily operations of a modern threat actor, revealing how campaigns are built with the help of AI.

June 19, 2024
New North Korean-Based Backdoor

In this paper we analyze a new threat campaign which is specifically focused on Aerospace and Defense companies: sectors appealing to multiple threat actors, but of particular interest to North Korean threat groups in other recent campaigns.

July 1, 2025
Phishing Attack Targets Canadian Infrastructure on Canada Day

Our systems detected a coordinated phishing campaign leveraging PDF-themed lures to harvest user email credentials. The attackers used socially engineered emails that mimicked service notifications, account updates, and login requests.

HomeAbout UsFAQ
DarkArmorProtectMe
BlogContactLinkedIn