A new cybercrime group has been identified by Malwarebytes to be targeting business owners who use Facebook’s advertising tools.
In a report from the company, Senior Threat Researcher Jérôme Segura noted, “there’s been a resurgence in sponsored posts and accounts that impersonate Meta/Facebook’s own Ads Manager” promising better ad performance.
The attack, which leads victims to install a malicious Chrome browser extension, looks to have generated more than $180,000 in compromised ad budget to date.
Fake Facebook ad generator
Malicious accounts redirect unsuspecting victims to external phishing domains, which use legitimate branding and favicons to trick users into thinking they are still on the Facebook platform.
Among the malicious downloads is a Chrome extension, which uses a Google Translate icon despite its promise to generate better Facebook ad returns. Segura says:
“A quick look at its source code reveals immediate hex obfuscation in an attempt to hide what it is actually doing.”
Reverse engineering found that the extension indeed has nothing to do with Google Translate, and instead focuses on grabbing Facebook login information.
Malwarebytes has discovered more than 20 similar campaigns, one of which goes on to accidentally leak its own stolen data and, subsequently, Google account information, which has since been passed on to Meta by the researchers.
All in, it looks like more than 800 victims have been taken advantage of worldwide, with around two in five coming from the US. The information, which has been shared with Meta, indicates that the threat actors are from Vietnam and are largely targeting Facebook business accounts.
Malwarebytes suggests that Business Manager accounts should regularly be checked for unknown users. Periodically running malware scans also serves as a valuable exercise that could prevent data and money theft.