Meta (formerly known as Facebook) has filed a joint lawsuit with Chime, a financial technology and digital banking company, against two Nigerian individuals who allegedly used Instagram and Facebook accounts to impersonate Chime and target its users in phishing attacks.
The two defendants, Arafat Eniola Arowokoko and Arowokoko Afeez Opeyemi, presumably used a network of at least five Facebook accounts and over 800 Instagram accounts to impersonate the fintech company, attempting to take over customers’ accounts.
With the help of these accounts, they lured potential targets to Chime-branded phishing websites to harvest Chime credentials (email and password) and hijack the victims’ accounts.
One such phishing website is still online at chime62.godaddysites[.]com, asking visitors to enter their phone number, email, Social Security Number, and Chime password.
The end goal of the scheme was to withdraw money out of hijacked Chime accounts without the victims’ knowledge.
These phishing websites prompted users to enter their Chime usernames and passwords to compromise users’ Chime member accounts and withdraw funds.
“Since June 2020, Meta has taken multiple enforcement actions against Defendants for violating its Terms, including as recently as October 22, 2021,” according to the joint complaint Meta and Chime filed in the US District Court for the Northern District of California.
Meta disabled Facebook and Instagram accounts used to impersonate Chine and blocked the phishing websites from its services. On July 9, it also sent cease-and-desist letters notifying the two defendants that their conduct violated the platforms’ terms and revoking their Facebook and Instagram access.
“Nonetheless, Defendants continued to create new Chime-impersonating accounts. In total, between June 5, 2020, and October 22, 2021, Meta disabled more than 800 Facebook and Instagram accounts and blocked phishing websites associated with Defendants and their scheme from being accessed on Facebook and Instagram.”
For instance, Meta filed a lawsuit in December against the operators of over 39,000 phishing sites targeting Facebook, Messenger, Instagram, and WhatsApp users.