In today’s interconnected world, social media platforms have become an integral part of our lives. They provide us with an avenue to connect with friends, share our experiences, and even discover new opportunities. However, as we engage with these platforms, we must also be aware of the potential threats lurking in the digital realm. This blog post aims to shed light on the latest tricks that can compromise the security of your social media accounts, your personal data, your reputation, and even your finances.
Cybersecurity on social networks: a growing concern
In recent years, cybercriminals have increasingly turned their attention to social media platforms, exploiting their vast user base for malicious purposes. It has become crucial for users like you to stay vigilant and informed about these threats, as one of the most prevalent tactics employed by cybercriminals is abusing the ad networks on these platforms.
Bitdefender Labs keeping watch
During the past few months, we’ve been closely monitoring a concerning trend among cybercriminals who exploit social media networks through a technique known as “malvertising.” The ultimate goal of these attacks is to hijack your accounts and steal your personal data using malicious software.
Understanding malvertising campaigns
Malvertising campaigns take advantage of the very tools used by legitimate entities to distribute online ads. Cybercriminals cleverly submit infected links to typical advertisement networks, often tempting users with enticing offers or provocative content to click on these links.
Our focus today is on how cybercriminals have adapted NodeStealer attacks to abuse Meta’s ad network on Facebook, putting your privacy and security at risk.
What we found
Here’s a summary of our analysis conducted from October 10th to 20th:
Considering each ad click instantly downloads the malicious archive, we estimate up to 100,000 potential downloads from the Ad reach analysis, with a single ad amassing as many as 15,000 downloads within just a 24-hour period. The most affected demographic is males aged 45 and above*.
*This demographic and reach information was collected by tracking the ads on Meta Ad Library.
Understanding NodeStealer: a highly-specialized threat
Before we dive into the specifics of the newly discovered NodeStealer campaign wreaking havoc on Facebook, let’s review what NodeStealer is all about.
NodeStealer is a relatively new info-stealer, discovered by Meta’s security team in January 2023. This malicious tool allows threat actors to steal browser cookies and conduct account takeovers at scale. Although initially designed to hijack cookie sessions (we have a nice primer on cookies here) from web browsers like Google Chrome, Microsoft Edge, Brave, and Opera, and to take over Facebook accounts, threat actors have continually enhanced this malware with new capabilities over the year.
New NodeStealer version 2.1 adds extra target applications and services
The NodeStealer malware discovered by our researchers is the modernized version of the info-stealer, written in Node. Cybercriminals have added new features that allow them to access additional platforms (Gmail and Outlook), steal crypto wallet balances, and download additional malicious payloads. These components could have devastating financial and reputational consequences for victims.
A Fresh Take on NodeStealer Attacks on Facebook
At Bitdefender Labs, we’ve observed a new approach to NodeStealer attacks deployed on Facebook. Threat actors are now using compromised business accounts to deliver malicious ad campaigns to unsuspecting internet users.
How It Works
According to our researchers, threat actors are no longer interested in hijacking only Facebook business accounts. They’ve expanded their attacks to target regular Facebook users through distinctive methods.
To gain access to your accounts and systems, cybercriminals abuse ad credit balances of compromised business accounts to run and manage ads that deliver the malware to their selected target audience.
They create a Facebook page under the name “Album Update” (or similar) and add revealing photos of young women (usually 1 or 2 photos).
They then start running ads promoting this revealing content. As key visuals, they use heavily edited images or, in some circumstances, AI-generated pictures of people. Instead of offering the promised content, the victim is lured to download a Windows application that installs a recent version of the NodeStealer malware. NodeStealer will then start exfiltrating user cookies and other sensitive information to its operators.
Once in posession of cookies, attackers can start hijacking even more accounts - this time for good: they would attempt to change passwords and add additional security measures to accounts to completely cut off access by the legitimate owner and commit a variety of types of fraud.
An in-depth report about NodeStealer and its purpose is available in this research article on Bitdefender Labs.
How to stay safe
The evolving landscape of cyber threats on social media demands vigilance. As a user, it’s crucial to stay informed and take steps to protect your accounts, data, and personal information. By understanding these threats and staying alert, you can navigate the digital world more safely.