The Hidden Menace: Python Malware Wreaks Havoc on Millions of Facebook Business Accounts

Attackers Targeting Facebook Business Accounts, Spreading Info-Stealing Malware

Background

In recent months, there has been a surge in targeted attacks on Facebook business accounts. Attackers are using a botnet of fake and hijacked personal Facebook accounts to send malicious messages via Facebook Messenger. The goal of these attacks is to spread an info-stealing malware that can intercept browsing sessions and steal account cookies. Researchers at Guardio Labs have discovered that these attacks are infected about 1.4% of their targets, approximately one out of every 70 accounts reached.

The MrTonyScam Campaign

The primary attack method used in these campaigns has been given the name “MrTonyScam” by Guardio Labs. The campaign involves sending messages containing a compressed stealer payload to target business accounts. These messages slip past typical spam detectors by varying in content, but sharing similar context. Some messages might contain complaints addressing policy violations, while others may ask questions related to advertised products. Each message is made unique through the use of different filenames and the addition of Unicode characters to various words.

If the recipient of the message clicks on the link, it initiates the download of a “classic stealer” payload that is archived with RAR or zip formats. Once executed, this payload uses multiple layers of obfuscation to hide its content. It then extracts all cookies and login data from popular browsers on the victim’s computer. The stolen information is sent to a Telegram channel using the Telegram’s or Discord’s bot API, a common practice among scammers. The final action of the payload is to delete all cookies, effectively locking victims out of their accounts and giving scammers an opportunity to hijack their sessions and change their passwords.

Extent of the Attack

Guardio Labs has found that the MrTonyScam campaign has been particularly successful, infecting approximately 1.4% of its targets. The bulk of the victims are based in North America, Europe, Asia, and Australia. Researchers believe that the tactics and techniques used in this campaign match those of a Vietnam-based threat actor. These attacks have exposed security loopholes in modern browsers and social media services like Facebook, which continue to store easily decrypted passwords and user cookies.

Implications and Recommendations

The prevalence of attacks on Facebook business accounts highlights the importance of strong internet security practices. It is crucial for users to exercise caution when interacting with messages from unknown senders and to be skeptical of any suspicious requests or links. Additionally, individuals should consider implementing multiple layers of security detection to counter malicious messages before they reach their social media inbox.

Furthermore, this campaign serves as a reminder that social media platforms need to improve their detection of account hijacking in real-time. As threat actors continue to find new ways to exploit security loopholes, it is necessary for these platforms to invest in robust security measures to protect their users.

Conclusion

The MrTonyScam campaign targeting Facebook business accounts is a concerning development in the realm of cybersecurity. As attackers use increasingly sophisticated methods to spread malware and steal sensitive information, it is crucial for individuals and social media platforms to enhance their security measures. Through vigilance, skepticism, and the adoption of advanced security detection systems, users can better protect themselves from malicious attacks.