Researchers at Kaspersky Lab recently discovered cyberattacks on Instagram and Facebook Messenger intended to steal credentials and spread malware, respectively. Both instances demonstrate the potential danger when an attacker seeks power in a social network.
The two attacks, while similar in their use of social networks, were otherwise different in nature. The Instagram attacks were manual and targeted high-profile victims. The Facebook campaign used advanced tactics to infect a large and indiscriminate pool of users.
Instagram's vulnerability exists in mobile version 8.5.1, which was released in 2016. Attackers can simply select "reset password," capture the request using a Web proxy, select a victim, and submit a request to Instagram's server with the target's unique identifier or username. The server returns a JSON response with the victim's personal data, like email and phone number.
"The attacks are quite labor intensive," Kaspersky Lab researchers explain. "Each one has to be done manually since Instagram uses mathematical calculations to prevent attackers from automating the request form."
Hackers were found on an underground forum exchanging personal credentials for celebrity accounts. Researchers reported the bug to Instagram on August 29; on August 30, the photo-sharing app had warned users of the vulnerability and issued a fix. Users are advised to update their apps to the latest version and alert Instagram to emails about password restoration.
David Jacoby, senior security researcher for Kaspersky Lab's Global Research and Analysis Team, picked up on the Facebook Messenger-driven malware when he received a suspicious note from a distant contact. Within minutes, he realized he had received an advanced form of multi-platform malware/adware, which was using multiple domains to prevent tracking.
Infected messages contain a shortened link, which leads victims to a Google Doc containing an image resembling a fake video player with the sender's profile photo. Google Chrome users who click the link are redirected to a fake YouTube page, which prompts them to download a fake Chrome extension. If installed, it spreads malicious links to the victims' online friends.
Chrome was the browser highlighted in a blog post co-authored by Jacoby and Frans Rosén, security advisor at Detectify, who was also investigating the Facebook malware. The two determined it was clear Chrome was a targeted browser for spreading the attack to other victims; in other browsers, ads were displayed and adware was downloaded on the victim's machine.
Jacoby and Rosén found several Chrome extensions were used in this campaign. All were newly created with stolen code, and similar names, to legitimate extensions. Each contained obfuscated background script that would only fetch an external URL if installed from the Chrome Webstore. Locally installed versions would not trigger an attack.
"The script would like a page on Facebook that was hardcoded in the script," researchers explain. "This was most likely used by the attackers to count the amount of infected users by keeping an eye on the amount of likes on this page."
Indeed, when observed, the "like" count quickly rose from 8,900 at one point to 32,000 a few hours later.
Google Chrome's security team disabled all malicious extensions to stop the spread of attack as much as possible; however, attackers had stolen all the access tokens from victims' accounts. This means attackers can still access these profiles, even if victims have changed their passwords, signed out, or disabled platform settings.
"We are currently discussing this with Facebook," Jacoby and Rosén report, "but at the moment it seems like there is no simple way for a victim to revoke the token the attackers stole."
The Facebook attack heavily relied on realistic social interactions, dynamic user content, and legitimate domains to spread. Researchers advise users to be careful when letting extensions control the bowser, and know which extensions they are running in the browser.
Tip: In Chrome, you can write chrome://extensions/ in your URL field to see a list of enabled extensions.