Cybercriminals have launched a large-scale campaign in the past month against Facebook business accounts using the Messenger platform, where they send messages. Violation of service policies and links to infected compressed files This includes ‘cookies’ and ‘scripts’ that can retrieve passwords.
The Vietnam-based attack group was able to compromise thousands of companies and organizations through the Facebook messaging service using a ‘phishing’ technique, Cardio Labs has confirmed. It mainly targets the last 30 days. North America, Europe and Oceania.
These cyber security experts say the attack flow is “a combination of techniques, abuse of open and free platforms, as well as Multiple blurring and occlusion modes“, according to their statement describing its operation.
To carry out these campaigns, cybercriminals send a message with a ‘url’ to corporate accounts and business owners through Messenger. These links encourage them to click on a malicious link.
Although the contents of these messages differ from cardio labs, “Everyone seems to be sharing the same environment” And these relate to product-related questions advertised on a business account or complaints posted on a page that allegedly violates the site’s policies.
Variations in code
To avoid being noticed, cybercriminals send each message in both text and subject, with different filenames, adding Unicode characters to some words, with a series of variations. This way, they avoid being detected by ‘anti-spam’ solutions.
The malicious payload (project.py) is recorded in RAR or ZIP formats, with a single file inside. One of the ‘scripts’ found by Cardio Labs showed a block structure, that is, they are executed by line. It acted as a ‘dropper’, a type of ‘malware’ that contained an executable file.
That way, the first file downloads another ZIP file, usually hosted on free source sites like GitHub or GitLab. The latter consists of another batch script that runs directly and has a specific encoding.
Specifically, the text file is encoded in UTF-16LE at the beginning and end, while most characters are in ASCII encoding. According to the researchers, this is a “clever tactic to hide the volume content” from automated scanners, preventing the attack scope from being limited.
Therefore, since it is a batch script, all lines of code are executed both benign and malignant, Python uses the environment to collect ‘cookies’ and login data, names and passwords stored in victims’ browsers.
Once the information is recorded, these communications are sent together to a Telegram or Discord channel using the application programming interface (API) of the platforms’ ‘bot’.
Besides stealing them, the malicious script deletes all cookies, resulting in victims being kicked out of their accounts. During that time, cybercriminals hijack your logins and change passwords.
The Cyber Security Institute pointed out that cybercriminals have a list of “bots” and fake accounts, as well as a list of millions of accounts and pages managed by companies. 100,000 phishing messages per week worldwide.
Also, according to their statistics, of all corporate accounts on Facebook, at least 7 percent received this infected communication in the last 30 days and 0.4 percent of them downloaded the attached malicious file, so one in 250 accounts was eventually infected.
Guardio Cybersecurity researcher Oleg Zaytsev also points out that the success rate of this campaign is one in every 70 infected accounts, for credentials and account theft, users still need to run the downloaded file.