Facebook Messenger phishing wave targets 100K business accounts per week

Trending 2 weeks ago


Hackers usage a monolithic web of clone and compromised Facebook accounts to nonstop retired millions of Messenger phishing messages to target Facebook business accounts pinch password-stealing malware.

The attackers instrumentality nan targets into downloading a RAR/ZIP archive containing a downloader for an evasive Python-based stealer that grabs cookies and passwords stored successful nan victim's browser.

In a caller study by Guardio Labs, researchers pass that astir 1 retired of seventy targeted accounts is yet compromised, translating to monolithic financial losses.

Facebook Messenger phishing

The hackers commencement by sending Messenger phishing messages to Facebook business accounts pretending to beryllium copyright violations aliases requests for much accusation astir a product.

Phishing messagePhishing connection connected Messenger (Guardio Labs)

The attached archive contains a batch record that, if executed, fetches a malware dropper from GitHub repositories to evade blocklists and minimize unique traces.

Along pinch nan payload (project.py), nan batch book besides fetches a standalone Python situation required by nan infostealing malware and adds persistence by mounting nan stealer binary to execute astatine strategy startup.

The project.py record features 5 layers of obfuscation, making it challenging for AV engines to drawback nan threat.

Part of nan payload's codePart of nan payload's code (Guardio Labs)

The malware collects each nan cookies and login information stored connected nan victim's web browser into a ZIP archive named 'Document.zip'. It past sends nan stolen accusation to nan attackers via Telegram aliases Discord bot API.

Finally, nan stealer wipes each cookies from nan victim's instrumentality to log them retired of their accounts, giving nan scammers capable clip to hijack nan recently compromised relationship by changing nan passwords.

As it tin return a while for societal media companies to respond to emails astir hijacked accounts, it gives nan threat actors clip to behaviour fraudulent activities pinch nan hacked accounts.

Complete onslaught chainComplete onslaught chain (Guardio Labs)

Scale of nan campaign

Although nan onslaught concatenation isn't novel, nan standard of nan run observed by Guardio Labs is alarming.

The researchers study astir 100,000 phishing messages per week, sent chiefly to Facebook users successful North America, Europe, Australia, Japan, and Southeast Asia.

Victims heatmapVictims heatmap (Guardio Labs)

Guardio Labs reports that nan standard of nan run is specified that astir 7% of each of Facebook’s business accounts person been targeted, pinch 0.4% having downloaded nan malicious archive.

To beryllium infected by nan malware, nan users still person to execute nan batch file, truthful nan number of hijacked accounts is unknown, but it could beryllium significant.

Funnel diagramFunnel diagram (Guardio Labs)

Linked to Vietnamese hackers

Guardio attributes this run to Vietnamese hackers owed to strings successful nan malware and nan usage of nan "Coc Coc" web browser, which nan researchers opportunity is celebrated successful Vietnam.

"This python stealer reveals nan Vietnamese root of these threat actors,' explains Guardio.

"The connection "Thu Spam lần thứ" which is sent to nan Telegram bot appended pinch a antagonistic of execution time, translates from Vietnamese arsenic "Collect Spam for nan X time"."

Vietnamese threat groups person targeted Facebook pinch large-scale campaigns this year, monetizing stolen accounts chiefly by reselling them via Telegram aliases acheronian web markets.

In May 2023, Facebook announced it had disrupted a Vietnam-originated run that deployed a caller info-stealer malware named 'NodeStealer' that snatched browser cookies.

In April 2023, Guardio Labs reported again astir a Vietnamese threat character who abused Facebook's Ads work to infect astir half a cardinal users pinch info-stealing malware.