Hackers are attacking Facebook users through pornographic image ads

Cybersecurity researchers at Romanian cybersecurity and antivirus software developer Bitdefender Labs have shared details of a new wave of malware-based scams targeting Facebook's Meta ad network to steal user data through the deployment of the NodeStealer malware.

NodeStealer was first discovered by Meta (parent company of Facebook, Instagram) in May 2023. The latest variant of NodeStealer is written in the programming language widely used in web applications, software development, data science and machine learning Python (previously the programming language JavaScript), capable of collecting cookies, passwords stored on web browsers to steal Facebook, Gmail and Outlook accounts.

It is an information-stealing tool designed to steal sensitive user data, including browser cookies and passwords. It allows operators to take control of Facebook, Gmail, Outlook, and other accounts.

Security researchers at Bitdefender said that when a user clicks on the malicious ad (which uses revealing images), the browser immediately downloads the PhotoAlbum.exe file. If the victim opens the file, the latest version of the NodeStealer malware is downloaded.

Meta has been hit by malware, specifically on its Facebook Business account network, where malicious actors attempted to steal users' login and payment information.

According to a Bitdefender blog post published on October 31, 2023, Meta’s Ads Manager tool is being actively exploited in these scams. Researchers found that the campaign targets male Facebook users from Africa, Europe, and the Caribbean aged 18-65, but predominantly males over 45.

According to Bitdefender research, cybercriminals are now targeting regular Facebook users in addition to business accounts. Threat actors are using the ad credit balances of hacked business accounts to run misleading, malware-infected ads to distribute malware to unsuspecting users.

The campaign involved displaying ads featuring sexually explicit images of young women. To do so, the attackers created Facebook pages where they ran fake ads featuring a number of revealing photos of young women, many of which were AI-generated or photoshopped or otherwise altered. According to the researchers, some of the fake profiles performed similar operations:

· Album Update.

· Private Album Update.

· Album Girl News Update.

· Hot Album Update Today.

· Album New Update Today.

· Album Private Update Today.

These albums link to Gitlab or Bitbucket repositories that host archives containing Windows executables and install a new variant of the NodeStealer information stealer. The attackers also lure users with short descriptions to download the media archives. For example, they post captions like “Watch before it gets deleted” and “New content online today.”

When an unsuspecting user clicks on the ad or photo, they are redirected to a malicious website and prompted to download a file titled “Photo Album.” This is an archive file that contains a malicious executable.

Furthermore, once NodeStealer is installed on a victim’s device, it begins stealing data such as Facebook account logins, browser cookies, and other personal data, which the attacker then uses to take over the account. In just 10 days, there were 100,000 downloads of the potential malware, and one ad attracted around 15,000 downloads within 24 hours.

Hackread reported on a previous campaign in which hackers took over Facebook business accounts using NodeStealer 2.0 and stole cryptocurrency. The campaign was discovered in August by researchers at the US-based multinational cybersecurity firm Palo Alto Networks.

It is not yet clear which cybercriminal group is behind the recent campaign. But security experts are warning Facebook users to be cautious when clicking on ads or visiting websites.

According to security experts, to limit attacks, Facebook account owners must always use security solutions on their devices by using strong passwords and activating two-factor authentication in the settings and always updating the latest security solutions.

In addition, Facebook users should also note that they should only make friends with people they know and trust; do not click on links or download attachments from strangers and report suspicious activities to Facebook.