Bucharest, November 2, 2023 – #rbj – Researchers from the Romanian company Bitdefender have discovered an aggressive campaign to spread computer threats in a novel way: hackers control the Facebook pages of some companies and use advertising budgets to display provocative ads that mainly target men. The ultimate goal is to trick victims into accessing these ads and subsequently lose their accounts and personal data.
The latest NodeStealer campaign discovered by Bitdefender’s IT security specialists is an enhanced version to which cybercriminals have added new features that allow them to fraudulently gain access to additional platforms (Gmail and Outlook) to steal crypto wallets and install computer threats. NodeStealer is a relatively new cyber threat, discovered by the Meta security team in January 2023, that allows attackers to steal browser cookies and take control of Facebook Business accounts without any further interaction with the victim, bypassing even and security mechanisms such as two-step authentication.
Here are the main findings of research conducted in October 2023 by Bitdefender researchers:
The ads distribute a newer version of the NodeStealer cyber threat.
Bitdefender specialists have discovered that there are at least ten compromised Facebook accounts belonging to companies that continue to distribute dangerous advertisements to the public.
Multiple iterations of the same ad were used in approximately 140 malicious ad campaigns.
The attackers used up to five active ads simultaneously which they constantly alternated to try to avoid user reports.
The ads displayed photos of young women in provocative poses to lure victims into downloading cyber threats.
The threat is distributed via Windows executable files disguised as photo albums.
About 100,000 potential downloads are estimated by BItdefender researchers, with a single ad getting up to 15,000 hits in just 24 hours.
The most targeted segment is represented by men over 45 years old.
How the campaign works
To gain access to user accounts, cybercriminals use the ad budgets on the already compromised Facebook Business accounts and distribute ads to the selected target audience. The attackers create a Facebook page called “Album Update” where they add photos of young women in provocative poses and use short descriptions to entice users to download the media archive: “Watch now before it’s deleted.” The albums redirect users to Bitbucket or Gitlab which stores an archive containing a Windows executable that installs newer versions of the NodeStealer threat on users’ devices. Once cybercriminals gain access to users’ cookies using NodeStealer’s basic functions, they take over Facebook accounts and access sensitive information.
Recommendations for users
Install and keep an IT security solution up to date to defend against attacks launched via phishing links, attachments or advertisements.
Always remain vigilant in your online interactions and be cautious when you receive unsolicited links associated with alarming ads asking you to urgently download files.
Avoid ads that prompt you to download photo albums from Bitbucket, Gitlab, or Dropbox.
The full research is available here: https://www.bitdefender.com/blog/labs/nodestealer-attacks-on-facebook-take-a-provocative-turn-threat-actors-deploy-malvertising-campaigns-to-hijack- users-accounts/
Global leader in cyber security
Bitdefender offers cyber security solutions with leading efficiency, performance and ease of use for small and medium-sized companies, mid-market companies and individual users. Guided by the vision to be the world’s most trusted provider of cyber security solutions, Bitdefender is committed to defending businesses and individual users around the world from cyber attacks to transform and improve their digital experience.