An info-stealer campaign is now targeting Facebook users with revealing photos

Avatar

Cybercriminals are using Facebook ads to distribute malware and hijack users’ social media accounts, researchers have found.

In the so-called malvertising campaign, hackers exploit legitimate tools for online ad distribution and insert infected links into typical advertisements. To entice users into clicking, the campaign offers “provocative enticements” — in this case, lewd images of young women, according to cybersecurity researchers at Bitdefender.

The researchers report that the campaign is intended to deliver a new version of the NodeStealer malware to victims’ devices. Some of the photos in the ads seem to have been edited or AI-generated.

NodeStealer is a relatively new info-stealer that, among other things, allows threat actors to steal victims’ browser cookies and take over Facebook accounts.

In a previous campaign, researchers observed hackers using NodeStealer to take over Facebook business accounts and steal money from cryptocurrency wallets. Researchers at Facebook parent Meta said they first identified the malware in January.

In the recent campaign described by Bitdefender, cybercriminals used at least 10 compromised business accounts to run and manage ads distributing the malware to regular Facebook users — primarily men in their 40s and older from Europe, Africa and the Caribbean.

Each click on the ad instantly downloads the malicious executable file to the victim’s device. The researchers estimated that nearly 100,000 users downloaded the malware in just 10 days.

It is unclear which hacker group is behind this campaign. The first NodeStealer attacks were attributed to threat actors in Vietnam, who targeted business users through Facebook Messenger.

A NodeStealer variant discovered in the latest campaign is slightly updated, researchers said. It has new features that allow hackers to gain access to additional platforms, such as Gmail and Outlook, and download additional malicious payloads.

Once cybercriminals gain access to users’ browser cookies using the basic features of NodeStealer, they can take over Facebook accounts and access sensitive information, the researchers say.

Then, hackers can change passwords and activate additional security measures on accounts to completely deny access to the legitimate owner, allowing cybercriminals to commit fraud.

“Whether stealing money or scamming new victims via hijacked accounts, this type of malicious attack allows cybercrooks to stay under the radar by sneaking past Meta’s security defenses,” the researchers said.

MalwareCybercrimeNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk
is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Dallas County ‘interrupted’ data exfiltration, prevented encryption after attack

Next Post

California community college Río Hondo dealing with cybersecurity incident

Related Posts

Dormakaba Locks Used in Millions of Hotel Rooms Could Be Cracked in Seconds

Security vulnerabilities discovered in Dormakaba's Saflok electronic RFID locks used in hotels could be weaponized by threat actors to forge keycards and stealthily slip into locked rooms. The shortcomings have been collectively named Unsaflok by researchers Lennert Wouters, Ian Carroll, rqu, BusesCanFly, Sam Curry, sshell, and Will Caruana. They were reported to the Zurich-based
Avatar
Read More