Facebook detailed an ad-fraud cyberattack that’s been ongoing since 2016, crooks are using a malware tracked as SilentFade (short for “Silently running Facebook Ads with Exploits”) to steal Facebook credentials and browser cookies.
The social network giant revealed that malware has a Chinese origin and allowed hackers to siphon $4 million from users’ advertising accounts.
Threat actors initially compromised Facebook accounts, then used them to steal browser cookies and carry out malicious activities, including the promotion of malicious ads.
Facebook spotted the campaign in December 2018 when noticed a surge in suspicious traffic across a number of Facebook endpoints.
“Our investigation uncovered a number of interesting techniques used to compromise people with the goal to commit ad fraud. The attackers primarily ran malicious ad campaigns, often in the form of advertising pharmaceutical pills and spam with fake celebrity endorsements.” explained this week Facebook researchers Sanchit Karve and Jennifer Urgilez in a talk at the Virus Bulletin 2020 conference.
Facebook confirmed that the initial attack vector isn’t its platform, in fact, SilentFade was not spreading via Facebook or its products. The experts noticed that it was usually bundled with potentially unwanted programs (PUPs).
Once installed, SilentFade allows attackers to steal only Facebook-specific stored credentials and cookies from major browsers, including Internet Explorer, Chromium, and Firefox.
“However, unlike the others, SilentFade’s credential-stealing component only retrieved Facebook-specific stored credentials and cookies located on the compromised machine” reads the paper published by the experts.
“Cookies are more valuable than passwords because they contain session tokens, which are post-authentication tokens. This use of compromised credentials runs the risk of encountering accounts that are protected with two-factor authentication, which SilentFade cannot bypass.”
Experts explained that All Chromium and Firefox-based browsers store credentials and cookies in SQLite databases. A malware running on an infected endpoint could access cookie store if has the knowledge of its location in the various browsers.
The malware is composed of three to four components, its main downloader component is included in PUP bundles.
“The downloader application either downloads a standalone malware component or a Windows service installed as either ‘AdService’ or ‘HNService’. The service is responsible for persistence across reboots and for dropping 32-bit and 64-bit version DLLs in Chrome’s application directory.” continues the paper.
“The DLL proxies all make requests to the real winhttp.dll but makes requests to facebook.com through the Chrome process, evading dynamic behavior-based anti-malware detection by mimicking innocuous network requests.”
Upon stealing Facebook-related credentials, SilentFade retrieves the metadata of the Facebook account (i.e. payment information and the total amount previously spent on Facebook ads) using the Facebook Graph API.
The malware sends the data to the C2 servers in the form of an encrypted JSON blob through custom HTTP headers.
SilentFade implements multiple evasion techniques, it is able to detect virtual machines and to disable Facebook notification alerts from compromised accounts.
The C2 server stored the data it received from the infected node and logged the IP address of the incoming request for the purpose of geolocation.
The geolocation is crucial in the fraudulent scheme implemented by crooks because the attackers intentionally used the stolen credentials in the proximity of the city of the infected machine.
Facebook accounts with associated credit cards were used to promote malicious ads on Facebook.
Facebook experts pointed out that financial data such as bank account and credit card numbers were never exposed to the attackers because Facebook does not make them visible through the desktop website or the Graph API.
The experts also uncovered other Chinese malware campaigns some of which are still ongoing. Threat actors employed multiple malicious codes dubbed StressPaint, FacebookRobot, and Scranos.
“We anticipate more platform-specific malware to appear for platforms serving large and growing audiences, as the evolving ecosystem targeting Facebook demonstrates,” concludes Facebook. “Only through user education and strong partnerships across the security industry will we measure the scale of malicious campaigns and effectively respond to them.”
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Facebook)
[adrotate banner=”5″]
[adrotate banner=”13″]