In a blog post, Meta explains that the defendants used the Ngrok service to send Internet traffic to fake login pages they created. Those who followed the phishing link were taken to a login page that resembled Facebook, Instagram, Messenger, or WhatsApp. When a user tried to log in, the defendants collected usernames and passwords from their victims.
Meta noticed that these attacks began to intensify in March this year, and together with Ngrok suspended the URLs that the fraudsters were using.