Content creators and small businesses are facing a sophisticated new threat targeting their Facebook accounts through deceptive advertisements promising free Meta verification badges.
A new malvertising campaign is targeting Facebook users with malicious ads that promise to unlock Meta’s coveted blue verification tick through a seemingly legitimate browser extension.
These ads, accompanied by instructional videos, are designed to trick users into downloading malware that steals their account credentials and hijacks their Facebook Business accounts.
Security researchers have identified at least 37 malicious advertisements promoting this fake verification tool, all originating from the same Facebook account.
The campaign bears clear hallmarks of Vietnamese-speaking threat actors, with video narrations and code comments written in Vietnamese.
The malicious code includes instructions on how to customize variables such as the size and position of fake verification badges, demonstrating the attackers’ intent to create a convincing illusion of functionality.
The malicious browser extension itself appears to contain AI-generated code that is poorly obfuscated but effective in achieving its criminal objectives.
Despite its crude construction, the malware successfully accomplishes its primary goal of data theft. Inline comments within the code highlight “adjustable parts” for custom values, allowing attackers to quickly modify and redeploy new variants across different campaigns.
The distribution mechanism adds another layer of sophistication to this operation. Attackers host their malware on Box.com, a legitimate cloud content management service, which helps them evade detection while mass-generating download links.
This approach allows them to automatically embed malicious links into tutorial videos and continuously refresh their campaigns, representing an industrialized approach to cybercrime.
Cookie Theft and Business Account Hijacking
Once installed, the malicious extension immediately begins harvesting Facebook session cookies and transmitting them to attacker-controlled Telegram bots.
The malware also collects victims’ IP addresses through external services to build comprehensive profiles of compromised accounts.
More advanced variants of this malware interact directly with Facebook Graph API using stolen access tokens, specifically targeting Facebook Business accounts.
These business accounts represent significantly more valuable targets than ordinary user profiles due to their commercial nature and administrative privileges.
Once identified and compromised, these accounts are packaged and sold through underground Telegram channels, where stolen credentials are marketed like commodities.
The stolen business accounts serve a dual purpose in the attackers’ ecosystem. Beyond immediate financial gain from direct sales, hijacked accounts can be repurposed to promote additional malicious advertisements, creating a self-sustaining cycle of cybercrime.
This creates a feedback loop where compromised accounts fund and facilitate new waves of malvertising campaigns targeting fresh victims.
Exploitation of Verification Desires
The campaign’s success stems from its exploitation of users’ desire for Meta’s blue verification badge, which signals authenticity, boosts content visibility, and provides protection against impersonation.
Since Meta now requires paid subscriptions for official verification, scammers capitalize on users seeking free alternatives by offering fraudulent tools promising the same benefits.
The presentation of these scams through professional-looking video tutorials embedded in Facebook advertisements makes them particularly convincing.
The combination of visual instruction and apparent legitimacy helps lower users’ natural skepticism, making it easier for victims to unknowingly install malicious software on their devices.
Users can protect themselves by remaining skeptical of advertisements offering verification tools or special Facebook features, as Meta does not distribute verification badges through browser extensions.
All software downloads should come from official sources such as the Chrome Web Store or Firefox Add-ons marketplace, rather than through advertisement links.
Account security measures including strong, unique passwords and multi-factor authentication provide additional protection against credential theft.
Specialized security tools can analyze suspicious links and monitor for signs of account compromise or data theft.
For content creators and small businesses who depend heavily on social media presence for their livelihood, losing control of Facebook accounts can result in significant financial and reputational damage.
The targeted nature of these attacks against business accounts makes professional cybersecurity protection particularly important for commercial social media operations.
This malvertising campaign represents the continuing evolution of social media-based cybercrime, where attackers leverage legitimate platforms and user psychology to distribute malware and steal valuable account credentials for profit.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
