A group of cybercriminals is launching a campaign of attacks targeting male Facebook users, in which, through malicious advertising with sexual content as a hook, they end up installing the NodeStealer malware on their devices, hijacking their accounts and stealing their information. confidential.
Social media platforms offer access to multiple content, however, they are also a gateway for large-scale attacks against unsuspecting users.
In fact, malicious threats are present on all social networks, so It is advisable to stay informed of the latest methods attack by cybercriminals, in order to avoid compromising the security of accounts, personal data and even prevent money theft.
This has been detailed by the group of cyberattack experts from the cybersecurity company Bitdefender, who have identified a malicious advertising campaign, specifically on Facebook and aimed at a male audience, that uses ads with provocative content about women to hijack user accounts. and steal your personal information, introducing a new version of NodeStealer malware.
In the period in which the investigation was carried out – from October 10 to 20 – the “growing trend” among cybercriminals to actively exploit social networks to use malicious advertising has been monitored.
As detailed, in this case, Their modus operandi is based on creating a Facebook page and using advertising credit balances from compromised company accounts. Thus, malicious actors begin to publish ads that promote false content, in this case, with provocative images of women as a hook to attract potential victims.
In fact, as Bitdefender has detailed, it is a campaign aimed at a target audience made up of men over 45 years of age. In this sense, to capture them, Facebook accounts publish two images of women and they are encouraged to download the entire album of said photos.
However, when the user clicks on the link to download the content, they are directed to a BitBucker or Gitlab repository. There, they find a Windows executable that actually installs a recent version of the ‘malware’ known as NodeStealer on the device.
Malicious trading accounts
This is a file called ‘Photo Album.exe’ which also downloads a second ‘.NET’ executable. With these files, the ‘malware’ is responsible for stealing the browser’s ‘cookies’ and passwords in order to access the user’s account.
Once the ‘malware’ is installed, Cybercriminals have free rein to take over the user’s Facebook account from which the link was clicked and, therefore, they can access the confidential information contained in the account.
Even once they have gained access, attackers try to change passwords and add additional security measures to completely stop the legitimate owner’s access to their account and, thus, be able to use it to, for example, commit fraud crimes.
In the multiple malicious advertising campaigns, malicious actors used a maximum of five active ads at a time and also published them at 24-hour intervals to prevent affected users from notifying other users.
According to the study, it has been estimated that with this type of campaign, cybercriminals can achieve around 100,000 downloads of ‘malware’. So much so that, as the experts were able to verify with one of the ads analyzed, 15,000 downloads were achieved in just 24 hours. This data has been obtained by Bitdefender by tracking ads in Meta Ad Library.
In fact, they have also counted at least 10 compromised business accounts that currently “continue to publish malicious ads” on Facebook.
NodeStealer
For all these reasons, Bitdefender cybersecurity experts have warned that malicious actors “They are increasingly using smart tactics,” So they take advantage of legitimate online advertising tools and operations to end up infecting users’ devices without them realizing it.
It must be taken into account that NodeStealer is a ‘malware’ that was discovered by Meta in January of this year and that was designed with the aim of hijacking ‘cookie’ sessions from the most common web browsers, such as Google Chrome, Microsoft Edge , Brave and Opera. In this way, cybercriminals manage to gain control of commercial accounts without needing to interact with the victim.
However, as it is a “relatively new” malware, Bitdefender has warned that malicious actors have continued to “work diligently” to equip the malware with new capabilities.
For this reason, experts recommend that users remain alert to the possible emergence of new ways of acting and, above all, distrust ads that “suggest downloading photo albums from Bitbucket, Gitlab or Dropbox.” Likewise, they have also advised using an “always updated” security solution on your device.
