Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:50 PM
Connect Directly

Thousands of Facebook Users Hit in Malware Distribution Campaign

'Operation Tripoli' is another reminder why users cannot trust every link they see on social media sites.

Social media platforms have become major malware distribution centers. Criminals are increasingly exploiting the trust many people have in the security of these venues to host and distribute a variety of malicious payloads on desktop and mobile systems, including those belonging to enterprise organizations.

The latest example is "Operation Tripoli," a multiyear malware campaign mainly targeting users in Libya that has nevertheless impacted tens of thousands of Facebook users across multiple countries, including the US and Canada.

Researchers from Check Point Software uncovered the campaign recently when investigating a Facebook page impersonating Khalifa Haftar, commander of the Libyan National Army. The page, created in April, offered posts about airstrikes, terrorists being captured, and other content likely of interest to people in Libya.

With more than 11,000 followers, the page contained URLs for downloading files that were often described as documents containing evidence of countries like Qatar and Turkey conspiring against Libya, or containing photos of pilots captured when bombing Tripoli and other lures. Some URLs purported to be to sites where citizens could sign up for the army.

Facebook users on mobile and desktop devices who clicked on these links ended up downloading a variety of known remote administration tools used for spying and stealing data. Check Point's investigation of the fake Khalifa Haftar Facebook page shows that the individual behind it had been distributing malicious links through more than 30 other Facebook pages since at least 2014. Some of the pages had tens and even hundreds of thousands of followers. One, for instance, had close to 140,000 followers.

All of the pages were Libya-related, and, in at least some instances, the threat actor appears to have gained access to them after the original owners had created and operated them for a while. As with many other campaigns these days, the malware associated with these pages was usually hosted on file-sharing services such as Dropbox, Google Drive, and Box.

In some instances, the threat actors behind Operation Tripoli compromised websites belonging to major companies and hosted malware on them. Among those compromised in this fashion were Libyana, a major mobile operator in the country, and at least one Israeli and Russian company, Check Point said.

One of Largest Malware Distribution Campaigns on Facebook
According to Check Point, the malware distribution campaign is one of the largest it has observed on Facebook. The security vendor has estimated that some 50,000 Facebook users have clicked on the URLs over the years, but it is unclear how many of them became infected as a result. Facebook has since removed the fake Khalifa Haftar page and all other artifacts of Operation Tripoli after Check Point informed the social media giant of the activity.

Lotem Finkelstein, group manager of products at Check Point, says the attacker's primary motive appears to have been stealing sensitive and personal data, including credentials to social networks and other online services.

However, the attacker's activities also show a very strong interest in the political tensions in Libya. "It is quite obvious that politicians and governments entities were also a target," Finkelstein says. "The attacker shared several times top-secret governmental documents and official documents of high-profile personnel in his fake Facebook account."

The main takeaway from this report is that phishing and malware attacks are not limited to email platforms, and that social networks, like Facebook, are used to distribute them, he says. "Therefore, the public has to be more alert to the content it consumes in social media," Finkelstein says.

Malware distributed via social media sites pose a major threat for businesses, as well. Research conducted by Bromium earlier this year showed that nearly 20% of organizations had been hit with malware from a social media site, while some 12% had experienced a breach from such malware. At the time Bromium conducted its study, four of the top five sites that were illegally distributing cryptocurrency mining software were hosted on a social media platform.

The vendor found criminals using malicious advertisements, applications, plug-ins, and URLs to distributed malware via social media sites. Bromium estimated that 1.3 billion users of social media had already had their information compromised in the past five years. More than 50% of stolen data available in underground markets last year was sourced from social media platforms, according to Bromium.

Jim Zuffoletti, CEO of social media security vendor SafeGuard Cyber, says the threat to companies via social media accounts indeed is real. "Detecting malicious content is a massive challenge when it comes to the social media platforms who face the dual responsibility of protecting their own infrastructure as well as their customer accounts," Zuffoletti says. "We've now seen payloads delivered via shared links, files, and direct messages, which underscores that social media is an incredibly important vector for companies and governments."

Notes CheckPoint's Finkelstein: "There are many attempts to use social networks to spread malware — it's just a natural development of the cyberthreat landscape. Most attempts, however, fail, thanks to the efforts the platforms invest in taking them down."

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/2/2019 | 1:16:50 PM
Mark seems to be falling deeper and deeper into this worm hole
At this point, he needs to invest in software that is intelligent (Sophos Intercept X, Extrahop, FireEye, IBM Watson with Qradar, McAfee Nitro, etc) to make a decision on the landscape and determine if anomaly exists and then make a decision on a learned response (50,000 clicks of individuals being affected, I think this should do it). Also, Facebook is being finded in other countries across the globe for their lack of PII controls.

Also, there needs to be a discussion on behavorial analysis where if the attack took place in this part of the country, the software should enter it into a SharedDB (No-SQL); big-data can be used to create relationships where each attack element is scrunitized to the nth degree. This provides the security teams with a way to determine if this hack occurred from the same region, person, type or some characteristic where they can narrow it down to an area, business or person. This correlation should be prioritized based on the level of severity and then feed into the ML system where resolutions are presented to the security expert; each expert can determine if this is worth pursuing or not, but this reaction can be done in real-time without user interaction if this is a repeatable occurrence.

AI Comparisons

AI vs CyberSecurity Trends

There are companies who are making changes to the landscape, but they are not being effectively used and integrated, there needs to be another focus on how information is gathered during the initial stages to ensure it is cleansed and/or eradicated before it has time to incubate or be part of their ecosystem.

Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.