Cybersecurity researchers have disclosed two new campaigns that use malicious advertising and fake websites to serve fake browser extensions, stealing sensitive data.
The per-BitDefender Malvertising campaign is designed to push a fake “meta-validation” browser extension named SocialMetrics Pro, which claims to unlock Blue Check Badge on Facebook and Instagram profiles. At least 37 malicious ads have been observed serving the extension in question.
“The malicious ads bundle a video tutorial that will guide viewers to download and install so-called browser extensions that claim to unlock the blue verification ticks of Facebook and other special features,” said the Romanian cybersecurity vendor.
But in reality, an extension hosted on a legal cloud service called Box can collect session cookies from Facebook and send them to an attacker-controlled telegram bot. It also has equipment to obtain the victim’s IP address by sending a query to IPINFO.[.]IO/JSON.
A selection variant of the Rogue browser add-on can be observed using stolen cookies and interact with the Facebook graph API to retrieve additional information related to your account. In the past, malware like Nodestealer has leveraged the Facebook graph API to collect account budget details.
The ultimate goal of these efforts is to sell valuable Facebook business and advertising accounts on underground forums to benefit other scammers or reuse them to promote more fraud campaigns.
The campaign displays all “fingerprints” that are usually associated with Vietnamese-speaking threat actors who are known to employ different steeler families to target and acquire unauthorized access to your Facebook account. This hypothesis is enhanced by the use of Vietnamese people to narrate the tutorial and add comments in the source code.
“By using a trusted platform, attackers can generate large amounts of links, automatically embed them in tutorials, and continuously update campaigns,” says Bitdefender. “This fits the bigger pattern of attackers’ industrialization where everything from advertising images to tutorials is created at once.”
This disclosure coincides with another campaign targeting meta-advertisers using Rogue Chrome Extensions, distributed through counterfeit websites that disguise as artificial intelligence (AI)-powered ad optimization tools for Facebook and Instagram. At the heart of the operation is a fake platform named Madgicx Plus.
“This extension, touted as a tool to streamline campaign management and enhance ROI using artificial intelligence, provides malicious features that can hijack business sessions, steal qualifications, and compromise metabusiness accounts.”
“The extension is advertised as a productivity or advertising performance enhancer, but it acts as dual purpose malware that can steal credentials, access session tokens, and enable account takeover.
The first extension is still available for download from the Chrome Web Store at the time of writing, but is listed below –
Once installed, the extension gains full access to all websites that users visit, allowing threat actors to inject any scripts, intercept and modify network traffic, monitor browsing activity, capture form input, and harvest sensitive data.
Users will also link their Facebook and Google accounts to encourage them to access the service, but their identity is secretly harvested in the background. Additionally, the add-on works similarly to the fake meta-validation extension mentioned above in that it uses the victim’s stolen Facebook credentials to interact with the Facebook Graph API.
“This step-by-step approach reveals a clear threat factor strategy. It first captures Google ID data and then pivots to Facebook to increase access, increasing the chances of hijacking valuable business or advertising assets.”
Source link
