Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:50 PM
Connect Directly

Thousands of Facebook Users Hit in Malware Distribution Campaign

'Operation Tripoli' is another reminder why users cannot trust every link they see on social media sites.

Social media platforms have become major malware distribution centers. Criminals are increasingly exploiting the trust many people have in the security of these venues to host and distribute a variety of malicious payloads on desktop and mobile systems, including those belonging to enterprise organizations.

The latest example is "Operation Tripoli," a multiyear malware campaign mainly targeting users in Libya that has nevertheless impacted tens of thousands of Facebook users across multiple countries, including the US and Canada.

Researchers from Check Point Software uncovered the campaign recently when investigating a Facebook page impersonating Khalifa Haftar, commander of the Libyan National Army. The page, created in April, offered posts about airstrikes, terrorists being captured, and other content likely of interest to people in Libya.

With more than 11,000 followers, the page contained URLs for downloading files that were often described as documents containing evidence of countries like Qatar and Turkey conspiring against Libya, or containing photos of pilots captured when bombing Tripoli and other lures. Some URLs purported to be to sites where citizens could sign up for the army.

Facebook users on mobile and desktop devices who clicked on these links ended up downloading a variety of known remote administration tools used for spying and stealing data. Check Point's investigation of the fake Khalifa Haftar Facebook page shows that the individual behind it had been distributing malicious links through more than 30 other Facebook pages since at least 2014. Some of the pages had tens and even hundreds of thousands of followers. One, for instance, had close to 140,000 followers.

All of the pages were Libya-related, and, in at least some instances, the threat actor appears to have gained access to them after the original owners had created and operated them for a while. As with many other campaigns these days, the malware associated with these pages was usually hosted on file-sharing services such as Dropbox, Google Drive, and Box.

In some instances, the threat actors behind Operation Tripoli compromised websites belonging to major companies and hosted malware on them. Among those compromised in this fashion were Libyana, a major mobile operator in the country, and at least one Israeli and Russian company, Check Point said.

One of Largest Malware Distribution Campaigns on Facebook
According to Check Point, the malware distribution campaign is one of the largest it has observed on Facebook. The security vendor has estimated that some 50,000 Facebook users have clicked on the URLs over the years, but it is unclear how many of them became infected as a result. Facebook has since removed the fake Khalifa Haftar page and all other artifacts of Operation Tripoli after Check Point informed the social media giant of the activity.

Lotem Finkelstein, group manager of products at Check Point, says the attacker's primary motive appears to have been stealing sensitive and personal data, including credentials to social networks and other online services.

However, the attacker's activities also show a very strong interest in the political tensions in Libya. "It is quite obvious that politicians and governments entities were also a target," Finkelstein says. "The attacker shared several times top-secret governmental documents and official documents of high-profile personnel in his fake Facebook account."

The main takeaway from this report is that phishing and malware attacks are not limited to email platforms, and that social networks, like Facebook, are used to distribute them, he says. "Therefore, the public has to be more alert to the content it consumes in social media," Finkelstein says.

Malware distributed via social media sites pose a major threat for businesses, as well. Research conducted by Bromium earlier this year showed that nearly 20% of organizations had been hit with malware from a social media site, while some 12% had experienced a breach from such malware. At the time Bromium conducted its study, four of the top five sites that were illegally distributing cryptocurrency mining software were hosted on a social media platform.

The vendor found criminals using malicious advertisements, applications, plug-ins, and URLs to distributed malware via social media sites. Bromium estimated that 1.3 billion users of social media had already had their information compromised in the past five years. More than 50% of stolen data available in underground markets last year was sourced from social media platforms, according to Bromium.

Jim Zuffoletti, CEO of social media security vendor SafeGuard Cyber, says the threat to companies via social media accounts indeed is real. "Detecting malicious content is a massive challenge when it comes to the social media platforms who face the dual responsibility of protecting their own infrastructure as well as their customer accounts," Zuffoletti says. "We've now seen payloads delivered via shared links, files, and direct messages, which underscores that social media is an incredibly important vector for companies and governments."

Notes CheckPoint's Finkelstein: "There are many attempts to use social networks to spread malware — it's just a natural development of the cyberthreat landscape. Most attempts, however, fail, thanks to the efforts the platforms invest in taking them down."

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/2/2019 | 1:16:50 PM
Mark seems to be falling deeper and deeper into this worm hole
At this point, he needs to invest in software that is intelligent (Sophos Intercept X, Extrahop, FireEye, IBM Watson with Qradar, McAfee Nitro, etc) to make a decision on the landscape and determine if anomaly exists and then make a decision on a learned response (50,000 clicks of individuals being affected, I think this should do it). Also, Facebook is being finded in other countries across the globe for their lack of PII controls.

Also, there needs to be a discussion on behavorial analysis where if the attack took place in this part of the country, the software should enter it into a SharedDB (No-SQL); big-data can be used to create relationships where each attack element is scrunitized to the nth degree. This provides the security teams with a way to determine if this hack occurred from the same region, person, type or some characteristic where they can narrow it down to an area, business or person. This correlation should be prioritized based on the level of severity and then feed into the ML system where resolutions are presented to the security expert; each expert can determine if this is worth pursuing or not, but this reaction can be done in real-time without user interaction if this is a repeatable occurrence.

AI Comparisons

AI vs CyberSecurity Trends

There are companies who are making changes to the landscape, but they are not being effectively used and integrated, there needs to be another focus on how information is gathered during the initial stages to ensure it is cleansed and/or eradicated before it has time to incubate or be part of their ecosystem.

Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...