In a worrying turn of events, a group of cybercriminals has launched a targeted attack campaign aimed at male Facebook users. These malicious actors are employing sexually suggestive advertisements to bait victims into installing the NodeStealer malware on their devices, ultimately leading to the hijacking of their accounts and the theft of sensitive information.
While social media platforms provide access to a plethora of content, they also serve as gateways for large-scale attacks against unsuspecting users. Malicious threats loom over all social networks, emphasizing the importance of staying informed about cybercriminals’ latest attack methods to safeguard account security, personal data, and even prevent financial theft.
Bitdefender’s Cybersecurity Experts Uncover Malicious Advertising Campaign
Cybersecurity company Bitdefender’s team of cyberattack experts has identified a malicious advertising campaign specifically targeting male users on Facebook. The attackers use alluring ads featuring provocative images of women as bait to hijack user accounts and steal personal information by introducing a new variant of the NodeStealer malware.
During their investigation spanning from October 10th to October 20th, Bitdefender observed a “growing trend” among cybercriminals actively exploiting social media for the dissemination of malicious advertising.
In this campaign, the attackers establish a Facebook page and utilize advertising credit balances from compromised business accounts. The malicious actors initiate ad campaigns promoting false content, primarily using provocative images of women to entice potential victims.
Targeting an audience of men over the age of 45, Facebook accounts publish two images of women, encouraging users to download the complete photo album. When users click the download link, they are redirected to a BitBucket or GitLab repository where they encounter a Windows executable file that actually installs a recent version of the NodeStealer malware.
This file, named ‘Photo Album.exe,’ also downloads a second ‘.NET’ executable. These files enable the malware to steal browser cookies and passwords to gain access to the user’s account.
Once the malware is installed, the cybercriminals gain unhindered access to the victim’s Facebook account. They may attempt to change passwords and add additional security measures to completely cut off the legitimate owner’s access, thereby utilizing the account for fraudulent activities.
In multiple malicious advertising campaigns, cybercriminals utilized a maximum of five active ads at any given time, posting them at 24-hour intervals to prevent affected users from warning others.
According to the study, it is estimated that such campaigns could result in approximately 100,000 downloads of the malware. In fact, Bitdefender observed 15,000 downloads within a mere 24-hour period with one of the analyzed ads. These statistics were obtained by tracking the ads in the Meta Ad Library.
At least 10 compromised business accounts continue to “publish malicious ads” on Facebook.
Cybersecurity Experts Warn of Increasingly Intelligent Tactics
Bitdefender’s cybersecurity experts have issued a warning that malicious actors are “increasingly using intelligent tactics,” leveraging legitimate online advertising tools and operations to infect users’ devices without their knowledge.
It is essential to note that NodeStealer is malware discovered by Meta in January of this year, designed to hijack browser sessions’ cookies in commonly used web browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. This allows cybercriminals to take control of business accounts without directly interacting with the victim.
However, as this malware is “relatively new,” Bitdefender has cautioned that malicious actors have continued to “work diligently” to enhance the malware with new capabilities.
In light of this threat, experts recommend that users remain vigilant against new tactics and, most importantly, exercise caution when encountering ads suggesting the download of photo albums from BitBucket, GitLab, or Dropbox. Additionally, users are advised to employ updated security solutions on their devices at all times.