“The threat actor targets individuals and employees that may have access to a Facebook Business account with an information-stealer malware,” Finnish cybersecurity company WithSecure (formerly F-Secure Business) said in a new report.
“The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to.”
The attacks apparently began in the latter half of 2021, against individuals with managerial, digital marketing, digital media, and human resources roles in companies.
Targeting employees with high-level access to Facebook Business accounts associated with their organizations are tricked into downloading supposed Facebook advertising information hosted on Dropbox, Apple iCloud and MediaFire.
The archive files typically contain a malicious payload that is also delivered to victims through LinkedIn, ultimately granting the attacker to hijack any Facebook Business account.
The program is coded to use Telegram for command-and-control and data exfiltration. WithSecure said it identified eight Telegram channels that were used for this purpose.
By using Google Chrome, Microsoft Edge, Brave Browser, and Mozilla Firefox all stored cookies and access tokens are accessed and information from the victim’s personal Facebook account such as name, email address, date of birth, and user ID are stolen.
Data from businesses and ad accounts connected to the victim’s personal account permits taking over accounts by adding the malicious actor-controlled email address which is retrieved from the Telegram channel to grant themselves Admin and Finance editor access.
Users with Admin roles have full control over a Facebook Business account and users with Finance editor permissions can edit business credit card information and financial details like transactions, invoices, account spend, and payment methods.
As of this moment, the exact number of users been affected has not been definitively determined.
Facebook Business administrators are advised to review their access permissions and remove any unknown users to secure the accounts.
Facebook Business Users who use legitimate messaging apps like Discord and Telegram can have their automation features used to propagate malware. Apps like Discord and Telegram have underlying elements that allow users to create and share programs or other types of content that’s used inside the platform. These programs, known as “bots,” or other content allows for users to share media, play games, moderate channels, or any other automated task a developer can devise.
Cybercriminals have figured out how to leverage this for their own begotten gains. Intel 471 has observed several different ways cybercriminals have used these messaging apps to spread their own malware. Primarily used in conjunction with information stealers, cybercriminals have found ways to use these platforms to host, distribute, and execute various functions that ultimately allow them to steal credentials or other information from unsuspecting users.
“Primarily used in conjunction with information stealers, cybercriminals have found ways to use these platforms to host, distribute, and execute various functions that ultimately allow them to steal credentials or other information from unsuspecting users,” Intel 471 said Tuesday.