Meta (formerly known as Facebook) has filed a lawsuit with financial technology and digital banking company Chime against two Nigerian individuals who allegedly used Instagram and Facebook accounts to impersonate Chime and target users in phishing attacks.
The two defendants, Arafat Eniola Arowokoko and Arowokoko Afeez Opeyemi, allegedly used a network of at least 5 Facebook accounts and over 800 Instagram accounts to impersonate the fintech company in an attempt to take over customers’ accounts.
With the assistance of these accounts, they lured potential targets to Chime-branded phishing websites to steal Chime login credentials and gain access to the victims’ accounts.
For example, one phishing website is still online, asking visitors to enter their phone number, email, Social Security Number, and Chime password. The primary goal of the attacks was to withdraw money out of hijacked Chime accounts without the victims’ knowledge.
These phishing websites encouraged users to enter their Chime usernames and passwords in order to compromise their Chime member accounts and withdraw funds.
“Since June 2020, Meta has taken multiple enforcement actions against Defendants for violating its Terms, including as recently as October 22, 2021,” according to the joint complaint Meta and Chime filed in the US District Court for the Northern District of California on Monday.
Meta disabled Facebook and Instagram accounts that were used to impersonate Chime and blocked the phishing websites from its platforms. On July 9, 2021, it also sent cease-and-desist letters notifying the two defendants that their conduct violated the platforms’ terms and revoked their Facebook and Instagram access.
“Nonetheless, Defendants continued to create new Chime-impersonating accounts. In total, between June 5, 2020, and October 22, 2021, Meta disabled more than 800 Facebook and Instagram accounts and blocked phishing websites associated with Defendants and their scheme from being accessed on Facebook and Instagram,” the joint complaint added.
This action is part of a broader series of lawsuits filed by Meta against threat actors abusing its platforms for malicious purposes and targeting its users.
In December, Meta filed a federal lawsuit against cybercriminals who operated over 39,000 phishing sites targeting Facebook, Messenger, Instagram, and WhatsApp users.
Meta also joined Apple in suing Pegasus spyware developer NSO Group for illegally hacking its users by exploiting previously unknown security flaws in both iOS and WhatsApp, according to a press release by Apple. This was followed by a Dec. 16 announcement by Meta that it has disrupted the operations of seven spyware-making companies by blocking their infrastructure on its platform, sending cease and desist letters, and banning their accounts.