Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/1/2019
04:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Thousands of Facebook Users Hit in Malware Distribution Campaign

'Operation Tripoli' is another reminder why users cannot trust every link they see on social media sites.

Social media platforms have become major malware distribution centers. Criminals are increasingly exploiting the trust many people have in the security of these venues to host and distribute a variety of malicious payloads on desktop and mobile systems, including those belonging to enterprise organizations.

The latest example is "Operation Tripoli," a multiyear malware campaign mainly targeting users in Libya that has nevertheless impacted tens of thousands of Facebook users across multiple countries, including the US and Canada.

Researchers from Check Point Software uncovered the campaign recently when investigating a Facebook page impersonating Khalifa Haftar, commander of the Libyan National Army. The page, created in April, offered posts about airstrikes, terrorists being captured, and other content likely of interest to people in Libya.

With more than 11,000 followers, the page contained URLs for downloading files that were often described as documents containing evidence of countries like Qatar and Turkey conspiring against Libya, or containing photos of pilots captured when bombing Tripoli and other lures. Some URLs purported to be to sites where citizens could sign up for the army.

Facebook users on mobile and desktop devices who clicked on these links ended up downloading a variety of known remote administration tools used for spying and stealing data. Check Point's investigation of the fake Khalifa Haftar Facebook page shows that the individual behind it had been distributing malicious links through more than 30 other Facebook pages since at least 2014. Some of the pages had tens and even hundreds of thousands of followers. One, for instance, had close to 140,000 followers.

All of the pages were Libya-related, and, in at least some instances, the threat actor appears to have gained access to them after the original owners had created and operated them for a while. As with many other campaigns these days, the malware associated with these pages was usually hosted on file-sharing services such as Dropbox, Google Drive, and Box.

In some instances, the threat actors behind Operation Tripoli compromised websites belonging to major companies and hosted malware on them. Among those compromised in this fashion were Libyana, a major mobile operator in the country, and at least one Israeli and Russian company, Check Point said.

One of Largest Malware Distribution Campaigns on Facebook
According to Check Point, the malware distribution campaign is one of the largest it has observed on Facebook. The security vendor has estimated that some 50,000 Facebook users have clicked on the URLs over the years, but it is unclear how many of them became infected as a result. Facebook has since removed the fake Khalifa Haftar page and all other artifacts of Operation Tripoli after Check Point informed the social media giant of the activity.

Lotem Finkelstein, group manager of products at Check Point, says the attacker's primary motive appears to have been stealing sensitive and personal data, including credentials to social networks and other online services.

However, the attacker's activities also show a very strong interest in the political tensions in Libya. "It is quite obvious that politicians and governments entities were also a target," Finkelstein says. "The attacker shared several times top-secret governmental documents and official documents of high-profile personnel in his fake Facebook account."

The main takeaway from this report is that phishing and malware attacks are not limited to email platforms, and that social networks, like Facebook, are used to distribute them, he says. "Therefore, the public has to be more alert to the content it consumes in social media," Finkelstein says.

Malware distributed via social media sites pose a major threat for businesses, as well. Research conducted by Bromium earlier this year showed that nearly 20% of organizations had been hit with malware from a social media site, while some 12% had experienced a breach from such malware. At the time Bromium conducted its study, four of the top five sites that were illegally distributing cryptocurrency mining software were hosted on a social media platform.

The vendor found criminals using malicious advertisements, applications, plug-ins, and URLs to distributed malware via social media sites. Bromium estimated that 1.3 billion users of social media had already had their information compromised in the past five years. More than 50% of stolen data available in underground markets last year was sourced from social media platforms, according to Bromium.

Jim Zuffoletti, CEO of social media security vendor SafeGuard Cyber, says the threat to companies via social media accounts indeed is real. "Detecting malicious content is a massive challenge when it comes to the social media platforms who face the dual responsibility of protecting their own infrastructure as well as their customer accounts," Zuffoletti says. "We've now seen payloads delivered via shared links, files, and direct messages, which underscores that social media is an incredibly important vector for companies and governments."

Notes CheckPoint's Finkelstein: "There are many attempts to use social networks to spread malware — it's just a natural development of the cyberthreat landscape. Most attempts, however, fail, thanks to the efforts the platforms invest in taking them down."

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/2/2019 | 1:16:50 PM
Mark seems to be falling deeper and deeper into this worm hole
At this point, he needs to invest in software that is intelligent (Sophos Intercept X, Extrahop, FireEye, IBM Watson with Qradar, McAfee Nitro, etc) to make a decision on the landscape and determine if anomaly exists and then make a decision on a learned response (50,000 clicks of individuals being affected, I think this should do it). Also, Facebook is being finded in other countries across the globe for their lack of PII controls.

Also, there needs to be a discussion on behavorial analysis where if the attack took place in this part of the country, the software should enter it into a SharedDB (No-SQL); big-data can be used to create relationships where each attack element is scrunitized to the nth degree. This provides the security teams with a way to determine if this hack occurred from the same region, person, type or some characteristic where they can narrow it down to an area, business or person. This correlation should be prioritized based on the level of severity and then feed into the ML system where resolutions are presented to the security expert; each expert can determine if this is worth pursuing or not, but this reaction can be done in real-time without user interaction if this is a repeatable occurrence.

AI Comparisons

AI vs CyberSecurity Trends

There are companies who are making changes to the landscape, but they are not being effectively used and integrated, there needs to be another focus on how information is gathered during the initial stages to ensure it is cleansed and/or eradicated before it has time to incubate or be part of their ecosystem.

Todd
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...