Facebook has detailed a wide-scale Chinese malware campaign that targeted its ad platform for years & siphoned-off $4 million from users’ advertising accounts.
They detailed an ad-fraud cyber-attack that is been ongoing since 2016, stealing Facebook credentials & browser cookies.
Compromised Facebook Accounts
Called Silent Fade (short for “Silently running Facebook Ads with Exploits”), the malware compromised Facebook accounts & used them to promote malicious ads, steal browser cookies & more.
The social-media giant suggested that the Chinese malware campaign started in 2016, but it was 1st discovered in Dec. 2018, due to a suspicious traffic increase across a number of Facebook endpoints.
After an extensive investigation, Facebook shut down the campaign & pursued legal action against the cyber-criminals behind the attack in Dec. 2019.
“Our investigation uncovered a number of interesting techniques used to compromise people with the goal to commit ad fraud,” mentioned Sanchit Karve & Jennifer Urgilez with Facebook, in a Thursday analysis revealed this week at the Virus Bulletin 2020 conference. “The attackers primarily ran malicious ad campaigns, often in the form of advertising pharmaceutical pills & spam with fake celebrity endorsements.”
Facebook said that Silent Fade was not downloaded or installed by using Facebook or any of its products. It was instead usually bundled with potentially unwanted programs (PUPs). PUPs are software programs that a user may perceive as unwanted; they may use an implementation that can compromise privacy or weaken user security.
In this case, researchers believe the malware was spread via pirated copies of popular software (such as the CorelDraw Graphics graphic design software for vector illustration & page layout).
When installed, Silent Fade stole Facebook credentials & cookies from various browser credential stores, including Internet Explorer, Chromium & Firefox.
“Cookies are more valuable than passwords because they contain session tokens, which are post-authentication tokens,” observed researchers. “This use of compromised credentials runs the risk of encountering accounts that are protected with 2-factor authentication, which Silent Fade cannot bypass.”
The malware itself consists of 3 to 4 components, with the main downloader component being included in PUP bundles, researchers explained. This downloader component is either a standalone malware component or a Windows service (installed as either “Ad Service” or ‘”HNService”).
It is responsible for persistence across reboots & for dropping 32-bit & 64-bit version dynamic library links (DLLs) in Chrome’s application directory, which are usually named winhttp.dll & launch DLL hijacking attacks.
“The DLL proxies all make requests to the real winhttp.dll but makes requests to facebook.com through the Chrome process, evading dynamic behaviour-based anti-malware detection by mimicking innocuous network requests,” suggested researchers.
After stealing credentials, the malware retrieves the metadata about the Facebook account (such as payment information & the total amount previously spent on Facebook ads), using the Facebook Graph API, which is a legitimate Facebook feature allowing users to read & write data to & from the Facebook social graph.
This data is then sent back to the malware’s C2 servers (as an encrypted JSON blob through custom HTTP headers).
Silent Fade has varying persistence & detection-evasion tactics, including code to detect virtual machines (checking the description field of all available display drivers against “Virtual” or “VM” ) & stop execution when detected.
It also disables Facebook notification alerts from compromised accounts, which could potentially alert the victim of suspicious activity.
Compromised Facebook Accounts
In a unique anti-detection tactic, the C2 server stores the data, & logs the IP address of the incoming request for the purpose of geolocation.
“This was crucial as the attackers intentionally used the stolen credentials from the same or a nearby city to the infected machine to appear as though the original account owner has travelled within their city,” commented researchers.
While users’ Facebook credentials are valuable, users with credit cards linked accounts (for business accounts, for instance) also gave cyber-criminals the ability to use those payment cards to promote malicious ads on Facebook.
However, “it should be noted that payment-information details (such as bank account & credit card numbers) were never exposed to the attackers, as Facebook does not make them visible through the desktop website or the Graph API,” observed researchers.
As part of its investigations into Silent Fade, Facebook also uncovered other Chinese malware campaigns, including ones dubbed Stress Paint, Facebook Robot & Scranos. Some of these malware attacks remained active as recently as June, Facebook warned.
Security & Privacy Issues
The company has faced security & privacy issues over the past year, & on Thurs. filed a lawsuit in the US against 2 companies that used scraping to engage in an international data harvesting operation, including scraping data from Facebook, Instagram, Twitter, YouTube, LinkedIn & Amazon, to sell “marketing intelligence.”
The data involved includes names, user IDs, genders, dates of birth, relationship status, location information & more.
In the middle of this, Facebook warns that it expects cyber-criminals to continue to launch attacks on its platform.
“We anticipate more platform-specific malware to appear for platforms serving large & growing audiences, as the evolving ecosystem targeting Facebook demonstrates,” explained Facebook.
“Only through user education & strong partnerships across the security industry will we measure the scale of malicious campaigns & effectively respond to them.”