Bitdefender Labs Cybersecurity Researchers Uncover New Malware Scam Targeting Meta’s Facebook Ad Network
In a recent revelation, cybersecurity experts from Bitdefender Labs have exposed a fresh wave of malicious activities targeting Meta’s advertising network on Facebook. The threat entails the utilization of NodeStealer malware, a notorious information-stealing tool, to pilfer sensitive user and device data, encompassing browser cookies and passwords. This malevolent software equips its operators with the ability to commandeer Facebook, Gmail, Outlook, and various other accounts.
Notably, Meta has been grappling with an onslaught of malware attacks, primarily on its Facebook Business accounts network. Here, cyber adversaries relentlessly endeavor to filch users’ login credentials and critical payment information.
According to a comprehensive blog post published by Bitdefender on October 31, 2023, the malevolent actors are actively exploiting Meta’s Ads Manager tool in these nefarious schemes. The research findings indicate that the campaign is chiefly aimed at male users, predominantly aged 45 and above, though the age group spans from 18 to 65, and the victims primarily hail from Africa, Europe, and the Caribbean.
Bitdefender’s research brings to light a disconcerting evolution in the cybercriminal strategy, as they are now targeting ordinary Facebook users, aside from business accounts. The threat actors are employing ad credit balances from hacked business accounts to disseminate misleading, malware-infested advertisements, thereby facilitating the delivery of malware to unsuspecting individuals.
The technique of this campaign revolves around the presentation of advertisements featuring alluring images of young women. For this purpose, the attackers have established Facebook pages where they broadcast counterfeit ads showcasing a collection of suggestive photos of young women, a substantial portion of which are either AI-generated or digitally manipulated. Researchers have identified numerous fictitious profiles carrying out this nefarious activity, some of which include:
- Album Private Update Today
- Album New Update Today
- Album Update
- Private Album Update
- Hot Album Update Today
- Album New Update Today
These albums redirect users to repositories on platforms like Gitlab or Bitbucket, housing archives containing the Windows executable that installs a new variant of the NodeStealer information-stealing malware. Intriguingly, the attackers further lure users with enticing descriptions, enticing them to download the media archive. Examples of these captions include “Watch now before it’s deleted” and “New stuff is online today.”
Once an unsuspecting user takes the bait and clicks on the ads or photos, they are redirected to a malicious website, prompting them to download a file bearing the title “Photo Album.” This file is, in fact, an archive containing the malicious executable.
Upon successful infiltration of the victim’s device by NodeStealer, the malware commences its nefarious activities, pilfering sensitive data such as Facebook account credentials, browser cookies, and other personal information. These credentials are then exploited by the attackers to hijack the victim’s account. In a shocking revelation, the researchers noted a staggering 100,000 potential malware downloads within a mere ten days, with a single ad attracting around 15,000 downloads in just 24 hours.
It’s pertinent to note that there has been similar campaigns where attackers hijacked Facebook business accounts using NodeStealer 2.0 and looted cryptocurrency. This campaign was first detected in August by the diligent researchers at Palo Alto Networks’ Unit 42.
“The first line of defence against Nodestealer malware, delivered via phishing links, attachments or ads) is to always use a security solution on your device and keep it up to date. Anti-malware and anti-virus software keep you and your devices safe from new and existing threats by detecting malware and safely removing or stopping it from causing any damage,” researchers concluded.