A recent cybersecurity threat has exploited paid Facebook ads to carry out a sophisticated attack involving a malicious Chrome browser extension. The goal of the campaign is to steal users' credentials, particularly targeting business accounts for unauthorized access.
Meta, the parent company of Facebook, responded to the threat after being alerted by cybersecurity firm Trend Micro. The scheme relies on fake profiles representing marketing firms or departments, offering the allure of AI technology to boost productivity, reach, and revenue. Some ads even bait victims with access to the experimental AI chatbot, Google Bard.
The fake profiles can be recognized by their artificially inflated follower counts, fabricated reviews from compromised profiles, and limited online history. The attackers are primarily interested in infiltrating business social networking managers, administrators, and marketing specialists, who often hold admin privileges for company social media accounts.
One noteworthy instance involved a Trend Micro researcher assisting a victim's incident response. The attacker manipulated the victim's Meta Business Manager by adding suspicious users. While the attacker hasn't directly communicated with the victim, they utilized the victim's prepaid promotion budget to disseminate their own content, indicating their intent to exploit stolen accounts for malicious purposes.
Upon clicking the malicious ads, users are directed to a simple webpage that touts the benefits of large language models (LLMs) and provides a link for downloading an "AI package." The attacker employs encryption to avoid detection, usually using common passwords like "999" or "888." Once decrypted, the package installs a Chrome extension aimed at stealing Facebook cookies, access tokens, browser user agents, and various account information.
The attack capitalizes on the rising interest in AI technology to deceive victims. Threat actors are leveraging the growing fascination with AI to manipulate and socially engineer malicious scams. To counter this, Meta has removed the fraudulent pages and ads and is enhancing its detection systems. Cybersecurity experts recommend deploying antivirus solutions with Web reputation services and staying cautious while downloading files from the internet, especially in light of emerging AI-related threats. Steven Spadaccini, VP of Threat Intelligence, SafeGuard Cyber, emphasized the importance of recognizing the threat of compromised social media platforms:
“The ad campaign in which a threat actor is abusing paid Facebook ads to take over business accounts highlights once again, that social media platforms can be compromised. The findings highlight that the victims that were using social networking for business were the targets. The recommended action is to deploy an antivirus solution with web reputation services to counter this type of threat. While antivirus and web reputation are helpful after an attack it does not help you during an attack. The focus should be on looking at behavior changes within social channels and leveraging AI to identify these types of threats before it’s too late. Businesses should have near real-time monitoring for their social platforms.”