HQ/EMEAFind out how we can help your business
A surge of Facebook Messenger phishing campaigns has affected about 100,000 business accounts per week. A fake network runs this cybercriminal operation and compromises Facebook accounts, aiming to breach and take over business profiles with password-stealing malware that ultimately leads to a substantial financial heist.
The modus operandi of these sophisticated Messenger phishing messages is to deceive unsuspecting Facebook business accounts by masquerading as copyright violation notices or product information requests. However, these notices store a RAR or ZIP payload that contains a downloader for a Python-based stealer.
Next, the operation will retrieve a malware dropper from GitHub once the victim executes the attached batch file. The malware included in the payload could evade blocklists and obfuscate its traces.
Furthermore, the malware deployment method includes acquiring a Python environment required by the infostealer. The attackers designed the stealer binary to execute at system startup to establish persistence.
This Facebook Messenger phishing campaign uses multiple obfuscation methods.
This Facebook Messenger phishing campaign uses a Python script called project[.]py. The script utilises five layers of obfuscation, which makes it a massive threat for AV solutions to detect and stop.
The malware’s primary mission is to gather all cookies and login data stored within the victim’s web browser. After collecting these details, the actors will keep them in a ZIP archive named ‘Document.zip.’
Subsequently, the process will secretly transmit the stolen data to an attacker-controlled server, often through Telegram or Discord bot APIs. The final method of this malicious campaign involves the stealer removing all cookies from the victim’s device and forcefully logging them out of their accounts.
This technique will give the actors time to hijack the compromised account by changing passwords. The worst part of this campaign is that it exploits the social media platforms’ delayed response to reports of hijacked accounts. This delay allows the threat actors to engage in fraudulent activities.
The scale of this campaign is very alarming despite being a standard campaign for many threat actors. Currently, 100,000 phishing messages weekly target Facebook users in multiple countries. Most of these users came from North America, Europe, and Southeast Asia.
Facebook business account owners in these regions should be vigilant in accessing email attachments since it could initiate a malicious campaign that could lead to account loss.
