Unit 42 researchers recently uncovered a previously unreported phishing campaign that distributed an infostealer capable of completely taking over Facebook business accounts.
Facebook business accounts were attacked with a phishing lure that offered tools such as business spreadsheet templates. This is part of a growing trend of attacks targeting Facebook business accounts for ad fraud and other purposes. The trend started in July 2022 with the discovery of the info-stealer Ducktail.
Phishing targets Facebook business accounts
Around eight months later, in March 2023, FakeGPT, a new variant of a fake Chrome extension for ChatGPT hijacking Facebook ad accounts, was reported. In April 42, Unit 2023 also reported on ChatGPT-related fraud attacks. In May 2023, a report from Meta surfaced about a new information-stealing malware called NodeStealer, which described malware that first went into action in July 2022. In January 2023, malicious activity related to NodeStealer was identified. NodeStealer allowed attackers to steal browser cookies to hijack accounts on the platform, specifically targeting business accounts.
While examining the growing trend, the researchers came across a campaign that began in December 2022 that has not been previously reported. The Infostealer distributed in the campaign shows many similarities to the July 2022 NodeStealer variant analyzed by Meta, which was written in JavaScript. However, the new campaign included two variants written in Python that were enhanced with additional features for the benefit of the attackers. These equipped the variants with cryptocurrency theft capabilities, downloader capabilities, and the ability to take over Facebook business accounts entirely.
Unknown campaign revealed
In the latest blog post, Unit 42 takes a closer look at the as-yet-unreported phishing campaign targeting Facebook business accounts and provides a detailed analysis of the malware. In addition, the researchers show the execution of the malware from the perspective of Cortex XDR (set to "Detect Only" mode). The researchers also provide recommendations on how Facebook business account owners can protect their accounts.
More at PaloAltoNetworks.com
About Palo Alto Networks Palo Alto Networks, the global leader in cybersecurity solutions, is shaping the cloud-based future with technologies that transform the way people and businesses work. Our mission is to be the preferred cybersecurity partner and protect our digital way of life. We help you address the world's biggest security challenges with continuous innovation leveraging the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are the leaders in protecting tens of thousands of businesses across clouds, networks and mobile devices. Our vision is a world where every day is safer than the one before.