Social networks, 16.07.2024, 13:30 PM
Cybercriminals use business Facebook pages and ads to advertise fake Windows themes, pirated games, and Sora AI, 3D image creator, and One Click Active software. The consequence of downloading this software is the infection of the device with the SYS01 password-stealing malware, the company’s researchers warn Trustwave who discovered these campaigns.
Using Facebook ads to spread malware is not a new tactic for cybercriminals. Considering the reach of the platform, such campaigns are very dangerous because it is possible to infect many devices in this way.
Ads for Windows themes, free game downloads, and activation cracks for popular software such as Photoshop, Microsoft Office, and Windows are posted by cybercriminals on new business Facebook pages or on hacked existing pages. When they use hijacked Facebook pages, they change their name to match the theme of their ad. This tactic “allows them to leverage their existing follower base to significantly increase the reach of their advertising,” according to the Trustwave report. The sites are operated by fraudsters from Vietnam and the Philippines. Trustwave says they use thousands of ads for each campaign.
When a Facebook user clicks on an ad, they are taken to web pages hosted on Google Sites or True Hosting, which are presented as download pages for the content advertised in the ad. Clicking “Download” will download a ZIP file named according to the content being downloaded, eg “Awesome_Themes_for_Win_10_11.zip” or “Adobe_Photoshop_2023.zip”.
And while users think they’re getting a free app, game, or Windows theme, the archive actually contains the data-stealing SYS01 malware. This malware, which was discovered in 2022, can steal data from an infected computer, including browser cookies, passwords saved in the browser, browsing history and cryptocurrency wallets.
The malware also uses Facebook cookies found on the device to steal account information on the social network from which it extracts information such as name, email address and date of birth.
It can also steal ad account data, including spending and payment methods, data related to user-managed Facebook pages, including follower counts.
The stolen data is temporarily stored in the %Temp% folder before being sent to the attackers.
Stolen cookies and passwords can be sold to other cybercriminals or used to take over the victim’s other accounts.
These ads were not only spotted on Facebook, but similar profiles were also found on LinkedIn and YouTube.
In February, Trustwave reported on a similar campaign on Facebook that was spreading the password-stealing malware Ov3r_Stealer.
Photo: Pixabay | Pexels
Source: www.informacija.rs
