Woman holding phone with Facebook on the screen showing Facebook Messenger phishing campaign

Facebook Messenger Phishing Campaign Targets Millions of Business Accounts Locking Out Owners

A Facebook Messenger phishing campaign has targeted millions of business accounts using fake and hijacked personal accounts, resulting in highly successful takeovers.

According to Guardio Labs researchers, the attackers target highly rated Facebook marketplace sellers, accounts with many followers, or business pages with fake product inquiries.

They send malicious attachments that download a Python-based infostealer that harvests saved passwords and browser cookies before locking out business page owners.

Facebook Messenger phishing campaign results in multi-stage infection

Attackers begin by enquiring about the availability of a posted product by sending a message with an attachment purporting to be the product in question.

The tactic lures the seller into downloading the attachment to determine which product the prospective customer wants.

Alternatively, they request profile owners to remove a photo or video from the Facebook page and apparently attach the item in question in a compressed .RAR or .ZIP format. Business owners apprehensive of violating regulations would be compelled to download and review the attachments to resolve the issue.

However, the attachment contains a Windows batch file (.bat), which acts as the Stage I dropper that downloads another archive containing a command file ‘vn.cmd’ that acts as the Stage II dropper.

The Stage II dropper pulls and unpacks a standalone Python environment (Document.zip), retrieves and executes the main stealer ‘project.py,’ and adds a startup batch file ‘WindowsSecure.bat’ to maintain persistence. The three files reside on free code-sharing platforms such as GitHub and GitLab.

After execution, the password-stealing malware harvests passwords and cookies from all the victim’s browsers and sends them to the attacker via Telegram/Discord APIs.

Additionally, the attacker deletes all login credentials and session cookies from the victim’s browser to lock them out, buying enough time to change passwords and log out of all devices.

“… so the victims won’t be able to revoke the stolen session or change the password themselves,” the researchers explained.

The attackers use different file names, change the subject or add Unicode characters to words to customize the message and evade Facebook Messenger’s spam detection.

Similarly, the Python infostealer employs 5 obfuscation layers to hide and generate content on the fly to avoid static analysis.

Facebook Messenger phishing campaign achieved “staggering success”

In 30 days, the threat actors targeted 7% of all Facebook business accounts, with at least 0.4% (1 out of 250) of the targeted accounts downloading the malware in 30 days, out of which up to 1.4% (1 out of 70) were infected.

“These threat actors are targeting millions of business accounts on Facebook’s platform — from highly-rated marketplace sellers to large corporations, with fake business inquiries, achieving a staggering “success rate” with approximately 1 out of 70 infected!” noted the researchers.

The researchers also found that the Facebook Messenger phishing campaign leverages bots and fake and compromised personal accounts to target millions of business owners.

“The threat actors hold an army of bots and fake Facebook accounts as well as a listing of millions of business accounts, pages, and managers – sending over 100k phishing messages a week to Facebook users around the world,” said Guardio researchers.

The attackers anticipate that the targeted business owners have other valuable accounts such as banking, e-commerce, and ad platforms. Once compromised, they monetized the accounts by disposing of them on underground forums or using them for more phishing campaigns.

“We see numerous channels and users offering everything from specific high-value accounts to ‘logs’ of hundreds and thousands of hijacked business accounts (BM — Business Manager), advertisement accounts with reputation, or even linked payment methods and credits (Agency Accounts),” they wrote.

Guardio Labs researchers attributed the Facebook messenger phishing campaign to Vietnamese threat actors based on the presence of Vietnamese phrases and the use of the “Coc Coc” browser, which is popular in the country. Additionally, they traced the Telegram and Discord API tokens to accounts named ‘MrTonyName,’ which also includes Vietnamese phrases.

The Meta platform has witnessed numerous Vietnamese phishing campaigns targeting saved passwords and browser cookies using various infostealer malware variants.

In May 2023, Meta disrupted another Vietnamese phishing campaign leveraging Ducktail and Nodestealer malware posing as ChatGPT extensions to harvest Facebook Business account credentials.

In April 2023, Guardio Labs observed another Vietnamese threat actor leveraging Facebook Ads in a malvertising campaign that infected over 500,000 accounts.

The researchers highlighted numerous security failures that allowed the Facebook Messenger phishing campaign to thrive.

“We see how social services like Facebook and others still fail to detect account hijacking in real time (not that it’s easy, and yet…) and also how the eco-system of this dark market is thriving and attracts more and more threat actors to get a piece of the pie.”

Roger Grimes, a Data-Driven Defense Evangelist at KnowBe4, noted that large tech companies like Facebook and Microsoft spend tens of millions annually to stop attackers from creating legitimate accounts.

“It’s very tough,” Grimes noted. “The bad guys automate getting new accounts, using humans where needed, to answer CAPTCHAs. Whatever the good side comes up with to stop or slow down the attackers, the attackers will just try to move around it and automate.”