Millions of Facebook Business Accounts Bitten by Python Malware

Attackers are targeting millions of Facebook business accounts with malicious messages, sent via Facebook Messenger from a botnet of fake and hijacked personal Facebook accounts. The goal is to spread an info-stealing malware that can intercept browsing sessions and account cookies, and it's hitting 100,000 Facebook business accounts per week, according to researchers.

The Python-based stealer successfully infects about 1.4% of targets — or about one out of 70 of those reached, Guardio Labs revealed in a blog post on Sept. 11. Guardio has dubbed the effort the "MrTonyScam," based on the name of the administrator of a Telegram channel with which the stealer interacts.

"Facebook’s Messenger platform has been heavily abused in the past month to spread endless messages with malicious attachments from a swarm of fake and hijacked personal accounts," Oleg Zaytsev, a Guardio Labs security researcher, wrote in the post.

Indeed, there has been an uptick recently in various threat campaigns aimed at hijacking Facebook business accounts, all of which is supporting a thriving business on Telegram dark markets to sell these accounts to cybercriminals to use for further nefarious activity.

"We see numerous channels and users offering everything from specific high-value accounts to 'logs' of hundreds and thousands of hijacked business accounts (BM — Business Manager), advertisement accounts with reputation, or even linked payment methods and credits (Agency Accounts)," Zaytsev wrote.

MrTonyScam Facebook Attack Details

Some of the tactics and techniques of the campaign match previous ones used by a Vietnam-based threat actor, according to the research — with the bulk of the victims of the far-reaching campaign being based in North America, Europe, Asia, and Australia.

From a technical standpoint, the attack's messages contain a compressed stealer payload that targets the victims’ installed browsers to lift session cookies; these are then sent to threat actors' IM channels in a "swift and effective operation," Zaytsev wrote.

He added that there are several aspects to the campaign that appear to contribute to its unusual rate of success — despite requiring action on the part of message recipients. One is the ability for messages — which vary in content but share similar context — to slip past spam detectors that scan for mass mailings. For instance, some of the messages are complaints addressing the page for violating policies, while others may include questions related to a product that is likely advertised by the target account. This variation and the use of different filenames, as well as the addition of Unicode characters to different words, "make each message unique," Zaytsev wrote.

The messages also contain a link that appears to be relevant to the content sent in the message, such as a link to product to check its availability. If clicked, the link downloads a "classic stealer" payload archived with RAR or zip formats, which then uses a multistep process and five layers of obfuscation to hide its content, Zaytsev wrote. The payload also is generated on the fly to avoid static detection.

"The attack flow is a combination of techniques, free/open platform abuse, as well as numerous obfuscation and hiding methods — summing to a quite complex flow," according to the researcher.

Once executed, the "simple, straightforward Python script extracts all cookies and login data (saved usernames and passwords) from several popular browsers it looks for on the victim's computer," he explained in the post. "All this together is sent to a Telegram channel using Telegram's/Discord bot API, which is a common practice among scammers."

The payload's final act is to delete all cookies after stealing them, effectively locking victims out of their accounts. This gives the scammers time to hijack their session and replace the password so victims can't revoke the stolen session or change the password themselves, Zaytsev said.

Exposing Security Holes

MrTonyScam and other campaigns targeting Facebook business users demonstrate how threat actors continue to expose security loopholes in both modern browsers — which continue to store easily decrypted passwords and user cookies — as well as social media services like Facebook, he said.

"Threat actors will always find new ways to get to us, hijack social accounts, and abuse legitimate services for their malicious deeds," Zaytsev wrote. Meanwhile, Facebook and other social media services still fail to detect account hijacking in real time, while the Dark Web cybercriminal ecosystem thrives and attracts more and more threat actors, he wrote.

These threats demand even more vigilance on the part of users to consider with suspicion any and all messages from users they don't recognize, as well as the use of "more layers of security detection" to counter malicious messages before they reach a social-media inbox, Zaytsev advised.