Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:50 PM
Connect Directly

Thousands of Facebook Users Hit in Malware Distribution Campaign

'Operation Tripoli' is another reminder why users cannot trust every link they see on social media sites.

Social media platforms have become major malware distribution centers. Criminals are increasingly exploiting the trust many people have in the security of these venues to host and distribute a variety of malicious payloads on desktop and mobile systems, including those belonging to enterprise organizations.

The latest example is "Operation Tripoli," a multiyear malware campaign mainly targeting users in Libya that has nevertheless impacted tens of thousands of Facebook users across multiple countries, including the US and Canada.

Researchers from Check Point Software uncovered the campaign recently when investigating a Facebook page impersonating Khalifa Haftar, commander of the Libyan National Army. The page, created in April, offered posts about airstrikes, terrorists being captured, and other content likely of interest to people in Libya.

With more than 11,000 followers, the page contained URLs for downloading files that were often described as documents containing evidence of countries like Qatar and Turkey conspiring against Libya, or containing photos of pilots captured when bombing Tripoli and other lures. Some URLs purported to be to sites where citizens could sign up for the army.

Facebook users on mobile and desktop devices who clicked on these links ended up downloading a variety of known remote administration tools used for spying and stealing data. Check Point's investigation of the fake Khalifa Haftar Facebook page shows that the individual behind it had been distributing malicious links through more than 30 other Facebook pages since at least 2014. Some of the pages had tens and even hundreds of thousands of followers. One, for instance, had close to 140,000 followers.

All of the pages were Libya-related, and, in at least some instances, the threat actor appears to have gained access to them after the original owners had created and operated them for a while. As with many other campaigns these days, the malware associated with these pages was usually hosted on file-sharing services such as Dropbox, Google Drive, and Box.

In some instances, the threat actors behind Operation Tripoli compromised websites belonging to major companies and hosted malware on them. Among those compromised in this fashion were Libyana, a major mobile operator in the country, and at least one Israeli and Russian company, Check Point said.

One of Largest Malware Distribution Campaigns on Facebook
According to Check Point, the malware distribution campaign is one of the largest it has observed on Facebook. The security vendor has estimated that some 50,000 Facebook users have clicked on the URLs over the years, but it is unclear how many of them became infected as a result. Facebook has since removed the fake Khalifa Haftar page and all other artifacts of Operation Tripoli after Check Point informed the social media giant of the activity.

Lotem Finkelstein, group manager of products at Check Point, says the attacker's primary motive appears to have been stealing sensitive and personal data, including credentials to social networks and other online services.

However, the attacker's activities also show a very strong interest in the political tensions in Libya. "It is quite obvious that politicians and governments entities were also a target," Finkelstein says. "The attacker shared several times top-secret governmental documents and official documents of high-profile personnel in his fake Facebook account."

The main takeaway from this report is that phishing and malware attacks are not limited to email platforms, and that social networks, like Facebook, are used to distribute them, he says. "Therefore, the public has to be more alert to the content it consumes in social media," Finkelstein says.

Malware distributed via social media sites pose a major threat for businesses, as well. Research conducted by Bromium earlier this year showed that nearly 20% of organizations had been hit with malware from a social media site, while some 12% had experienced a breach from such malware. At the time Bromium conducted its study, four of the top five sites that were illegally distributing cryptocurrency mining software were hosted on a social media platform.

The vendor found criminals using malicious advertisements, applications, plug-ins, and URLs to distributed malware via social media sites. Bromium estimated that 1.3 billion users of social media had already had their information compromised in the past five years. More than 50% of stolen data available in underground markets last year was sourced from social media platforms, according to Bromium.

Jim Zuffoletti, CEO of social media security vendor SafeGuard Cyber, says the threat to companies via social media accounts indeed is real. "Detecting malicious content is a massive challenge when it comes to the social media platforms who face the dual responsibility of protecting their own infrastructure as well as their customer accounts," Zuffoletti says. "We've now seen payloads delivered via shared links, files, and direct messages, which underscores that social media is an incredibly important vector for companies and governments."

Notes CheckPoint's Finkelstein: "There are many attempts to use social networks to spread malware — it's just a natural development of the cyberthreat landscape. Most attempts, however, fail, thanks to the efforts the platforms invest in taking them down."

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/2/2019 | 1:16:50 PM
Mark seems to be falling deeper and deeper into this worm hole
At this point, he needs to invest in software that is intelligent (Sophos Intercept X, Extrahop, FireEye, IBM Watson with Qradar, McAfee Nitro, etc) to make a decision on the landscape and determine if anomaly exists and then make a decision on a learned response (50,000 clicks of individuals being affected, I think this should do it). Also, Facebook is being finded in other countries across the globe for their lack of PII controls.

Also, there needs to be a discussion on behavorial analysis where if the attack took place in this part of the country, the software should enter it into a SharedDB (No-SQL); big-data can be used to create relationships where each attack element is scrunitized to the nth degree. This provides the security teams with a way to determine if this hack occurred from the same region, person, type or some characteristic where they can narrow it down to an area, business or person. This correlation should be prioritized based on the level of severity and then feed into the ML system where resolutions are presented to the security expert; each expert can determine if this is worth pursuing or not, but this reaction can be done in real-time without user interaction if this is a repeatable occurrence.

AI Comparisons

AI vs CyberSecurity Trends

There are companies who are making changes to the landscape, but they are not being effectively used and integrated, there needs to be another focus on how information is gathered during the initial stages to ensure it is cleansed and/or eradicated before it has time to incubate or be part of their ecosystem.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-23
A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph...
PUBLISHED: 2020-11-23
A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a...
PUBLISHED: 2020-11-23
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating sy...
PUBLISHED: 2020-11-23
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability...
PUBLISHED: 2020-11-23
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.