Image: Solen Feyissa (unsplash)
A large-scale fraudulent campaign is unfolding on Facebook Messenger, where hackers exploit a vast array of sham and vulnerable Facebook profiles to disseminate countless phishing messages. These messages are primarily aimed at business accounts on Facebook, endeavoring to infect them with malware designed to capture passwords.
Deceitfully, the culprits bait their marks into accessing a RAR/ZIP file, which harbors a downloader for an elusive Python-based program adept at seizing cookies and login credentials from the victim’s internet browser.
Guardio Labs’ latest research findings bring attention to the alarming efficacy of this malicious operation. Their studies reveal that approximately 1 in 70 accounts pinpointed by these campaigns eventually falls victim, leading to significant monetary damages.
In their initial approach, hackers dispatch phishing messages to business accounts on Facebook. These messages cleverly disguise themselves as notifications related to copyright discrepancies or inquiries about particular products.
The appended file to these messages incorporates a batch script. Once activated, it retrieves a harmful dropper from GitHub repositories, a strategy that helps sidestep detection tools and leaves minimal identifiable marks.
The package also encompasses a separate Python setting needed by the data-theft malware and assures its longevity by configuring the software to initiate upon the computer’s boot-up.
This malicious file, named project.py, is adeptly camouflaged with five tiers of disguising techniques, posing a significant challenge for antivirus software to identify and neutralize the threat.
Once active, this malware diligently gathers all cookies and login details located on the victim’s browser, consolidating them into a ZIP file labeled ‘Document.zip’. Following this, the amassed data is dispatched to the perpetrators through either Telegram or Discord bot APIs.
To add insult to injury, the malware eradicates all cookies from the affected device, effectively logging the user out. This maneuver grants the fraudsters ample opportunity to gain control over the freshly breached account by modifying login credentials.
Regrettably, the delayed reaction of social media enterprises to complaints concerning breached profiles provides these malevolent actors an extended window to exploit the infiltrated accounts for deceptive schemes.