Protecting Your Important: Social Network Scams May Cost You (and Your Employer) a Fortune


October 31, 2023

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Protecting Your Important: Social Network Scams May Cost You (and Your Employer) a Fortune

In today’s interconnected world, social media platforms have become an integral part of our lives. They provide us with an avenue to connect with friends, share our experiences, and even discover new opportunities. However, as we engage with these platforms, we must also be aware of the potential threats lurking in the digital realm. This blog post aims to shed light on the latest tricks that can compromise the security of your social media accounts, your personal data, your reputation, and even your finances.

Cybersecurity on social networks:  a growing concern

In recent years, cybercriminals have increasingly turned their attention to social media platforms, exploiting their vast user base for malicious purposes. It has become crucial for users like you to stay vigilant and informed about these threats, as one of the most prevalent tactics employed by cybercriminals is abusing the ad networks on these platforms.

Bitdefender Labs keeping watch

During the past few months, we’ve been closely monitoring a concerning trend among cybercriminals who exploit social media networks through a technique known as “malvertising.” The ultimate goal of these attacks is to hijack your accounts and steal your personal data using malicious software.

Understanding malvertising campaigns

Malvertising campaigns take advantage of the very tools used by legitimate entities to distribute online ads. Cybercriminals cleverly submit infected links to typical advertisement networks, often tempting users with enticing offers or provocative content to click on these links.

Our focus today is on how cybercriminals have adapted NodeStealer attacks to abuse Meta’s ad network on Facebook, putting your privacy and security at risk.

What we found

Here’s a summary of our analysis conducted from October 10th to 20th:

  • We discovered multiple hijacked Facebook accounts, including at least ten compromised business accounts that continue to serve malicious ads to the public.
  • These ads contain a newer version of NodeStealer.
  • The threat actors created multiple Facebook profiles, often luring users with access to new media files featuring portrayed women.
  • Multiple iterations of the same ad were used in about 140 malicious ad campaigns.
  • Attackers used a maximum of five active ads at a time, switching between them at 24-hour intervals to evade user reports.
  • The ads used revealing photos of young women to entice victims into deploying the payload.
  • Clicking on these ads immediately downloads an archive containing a malicious .exe “Photo Album” file, which also drops a second executable written in .NET, responsible for stealing browser cookies and passwords.

Considering each ad click instantly downloads the malicious archive, we estimate up to 100,000 potential downloads from the Ad reach analysis, with a single ad amassing as many as 15,000 downloads within just a 24-hour period. The most affected demographic is males aged 45 and above*.

*This demographic and reach information was collected by tracking the ads on Meta Ad Library.

Understanding NodeStealer: a highly-specialized threat

Before we dive into the specifics of the newly discovered NodeStealer campaign wreaking havoc on Facebook, let’s review what NodeStealer is all about.

NodeStealer is a relatively new info-stealer, discovered by Meta’s security team in January 2023. This malicious tool allows threat actors to steal browser cookies and conduct account takeovers at scale. Although initially designed to hijack cookie sessions (we have a nice primer on cookies here) from web browsers like Google Chrome, Microsoft Edge, Brave, and Opera, and to take over Facebook accounts, threat actors have continually enhanced this malware with new capabilities over the year.

New NodeStealer version 2.1 adds extra target applications and services

The NodeStealer malware discovered by our researchers is the modernized version of the info-stealer, written in Node. Cybercriminals have added new features that allow them to access additional platforms (Gmail and Outlook), steal crypto wallet balances, and download additional malicious payloads. These components could have devastating financial and reputational consequences for victims.

A Fresh Take on NodeStealer Attacks on Facebook

At Bitdefender Labs, we’ve observed a new approach to NodeStealer attacks deployed on Facebook. Threat actors are now using compromised business accounts to deliver malicious ad campaigns to unsuspecting internet users.

How It Works

According to our researchers, threat actors are no longer interested in hijacking only Facebook business accounts. They’ve expanded their attacks to target regular Facebook users through distinctive methods.

To gain access to your accounts and systems, cybercriminals abuse ad credit balances of compromised business accounts to run and manage ads that deliver the malware to their selected target audience.

They create a Facebook page under the name “Album Update” (or similar) and add revealing photos of young women (usually 1 or 2 photos).

They then start running ads promoting this revealing content. As key visuals, they use heavily edited images or, in some circumstances, AI-generated pictures of people. Instead of offering the promised content, the victim is lured to download a Windows application that installs a recent version of the NodeStealer malware. NodeStealer will then start exfiltrating user cookies and other sensitive information to its operators.

Once in posession of cookies, attackers can start hijacking even more accounts - this time for good: they would attempt to change passwords and add additional security measures to accounts to completely cut off access by the legitimate owner and commit a variety of types of fraud.

An in-depth report about NodeStealer and its purpose is available in this research article on Bitdefender Labs.

How to stay safe

The evolving landscape of cyber threats on social media demands vigilance. As a user, it’s crucial to stay informed and take steps to protect your accounts, data, and personal information. By understanding these threats and staying alert, you can navigate the digital world more safely.

  • Make sure you don't click ads that look suspicious or are overpromising.
  • Never run executable files that are automatically downloaded after you click a link. Look for double extensions - hackers love disguising executable files as JPG or PDF formats to lure slightly suspicious victims into opening attachments.
  • Run a security solution at all times and don't turn it off if it keeps blocking a file downloaded from the Internet.




The meaning of Bitdefender’s mascot, the Dacian Draco, a symbol that depicts a mythical animal with a wolf’s head and a dragon’s body, is “to watch” and to “guard with a sharp eye.”

View all posts

You might also like