Scammers are using AI-generated provocative ads to lure users into downloading and installing the notorious NodeStealer malware.
Cybersecurity researchers at Bitdefender Labs have shared details of a new wave of malware scams targeting Meta’s ad network on Facebook to steal user data via deploying NodeStealer malware.
It is an information-stealing tool designed to steal sensitive user/device data, including browser cookies and passwords. It allows its operators to hijack Facebook, Gmail, Outlook, and other accounts.
Meta has been under malware attacks, particularly on its Facebook Business accounts network, where malicious actors attempt to steal users’ login credentials and payment information.”
According to Bitdefender’s blog post published on 31 October 2023, Meta’s Ads Manager tool is actively exploited in these scams. Researchers noticed that the campaign targets male users (aged 18-65 but mostly 45+ males) on Facebook, primarily from Africa, Europe, and the Caribbean.
Per Bitdefender’s research, cybercriminals are now targeting regular Facebook users apart from business accounts. The threat actors use ad credit balances of hacked business accounts to run misleading, malware-infected ads to deliver malware to unsuspecting users.
The campaign involves displaying ads featuring provocative photos of young women. For this purpose, attackers have created Facebook pages where they run fake ads featuring a few revealing photos of young women, many of which are AI-generated or photoshopped/edited. According to researchers, several fake profiles have been performing the same activity. These include:
- · Album Update
- · Private Album Update
- · Album Girl News Update
- · Hot Album Update Today
- · Album New Update Today
- · Album Private Update Today
These albums link to Gitlab or Bitbucket repositories that store the archive containing the Windows executable and install a new variant of the NodeStealer infostealer. Attackers also lure users through short descriptions so that they download the media archive. For instance, they post captions like “Watch now before it’s deleted” and “New stuff is online today.”
When an unsuspecting user clicks on the ads or photos, they get redirected to a malicious website and are prompted to download a file titled “Photo Album.” This is an archive file containing the malicious executable.
Further, once NodeStealer gets installed on the victim’s device, it starts stealing data such as Facebook account credentials, browser cookies, and other personal data, which attackers then use to hijack the account. Within just ten days, there have been 100,000 potential malware downloads, and a single ad attracted around 15,000 downloads within 24 hours.
Hackread reported a previous campaign where hackers hijacked Facebook business accounts using NodeStealer 2.0 and stole cryptocurrency. This campaign was detected in August by Palo Alto Networks’ Unit 42 researchers.
It’s unclear which cybercrime gang is behind the recent campaign. Previous attacks, like those against Meta from Vietnam, raise concern. Caution is advised when clicking ads or accessing websites.
“The first line of defence against Nodestealer malware, delivered via phishing links, attachments or ads) is to always use a security solution on your device and keep it up to date. Anti-malware and anti-virus software keep you and your devices safe from new and existing threats by detecting malware and safely removing or stopping it from causing any damage,” researchers concluded.
- Facebook ads dropped malware posing as Clubhouse app for PC
- Fake ChatGPT and AI pages on Facebook are spreading infostealers
- Beware of Fake Facebook Profiles, Google Ads Pushing Sys01 Stealer
- Ducktail Malware Exploits LinkedIn to Hack Facebook Business Accounts
- Vietnamese DarkGate Malware Targets META Accounts in the UK, USA, India