Facebook Pages Impersonating Meta Are Spreading Malware



Sketchy Facebook pages impersonating businesses are nothing new, but a flurry of recent scams is particularly brazen, TechCrunch reported.

A handful of verified Facebook pages were hacked recently and spotted slinging likely malware through ads approved by and purchased through the platform. But the accounts are easy to catch – in some cases, they were impersonating Facebook itself.

TechCrunch also reported that the compromised accounts include official-sounding pages like “Meta Ads” and “Meta Ads Manager.” Those accounts shared suspicious links to tens of thousands of followers, though their reach probably extended well beyond the paid posts.

In another instance, a hacked verified account purporting to be “Google AI” pointed users toward fake links for Bard, Google’s AI chatbot. That account previously belonged to Indian singer and actress Miss Pooja before the account name was changed on April 29. That account, which operated for at least a decade, boasted more than 7 million followers.

Meta posted on their Engineering at Meta blog information titled: “The malware threat landscape: NodeStealer, DuckTail, and more” Here is part of what the company posted:

  • We’re sharing our latest threat research and technical analysis into persistent malware campaigns targeting businesses across the internet, including threat indicators to help raise our industry’s collective defenses across the internet.
  • These malware families – including Ducktail, NodeStealer and newer malware posing as ChatGPT and other similar tools – targeted people through malicious browser extensions, ads, and various social media platforms with an aim to run unauthorized ads from compromised business accounts across the internet.
  • We’ve detected and disrupted these malware operations, include previously unreported malware families, and have already seen rapid adversarial adaptation in response to our detection, including some of them choosing to shift their initial targeting elsewhere on the internet.

“…We know that malicious groups behind malware campaigns are extremely persistent, and we fully expect them to keep trying to come up with new tactics and tooling in an effort to survive disruptions by any one platform whee they spread. That’s why our security teams tackle malware – one of the most persistent threats online – as part of our defense-in-depth approach through multiple efforts at once. 

It includes: malware analysis and targeted threat disruption, continuously improving detection systems to block malware at scale, security product updates, community support and education, threat information sharing with other companies and holding threat actors accountable in court. This helps raise the cost for these malicious groups and limits the lifecycle of any single strain of malware – forcing threat actors to continue to invest time and resources into constantly adapting to stay afloat…

Meta provided some information about Ducktail:

“…A long-running malware family known in the security community as Ducktail is a good example. For several years, we’ve tracked and blocked iterations of Ducktail originating from Vietnam that have evolved as a result of enforcements by Meta and our industry peers. Ducktail is known to target a number of platforms across the internet, including:

LinkedIn to socially engineer people into downloading malware;

Browsers like Google Chrome, Microsoft Edge, Brave, and Firefox to gain access to people’s information on desktop; and

File-hosting services such as Dropbox and Mega, to host malware.

Meta also provided some information about Novel NodeStealer malware:

“In late January 2023, our security team identified a new malware NodeStealer that targeted internet browsers on Windows with a goal of stealing cookies and saved usernames and passwords to ultimately compromise Facebook, Gmail, and Outlook accounts. NodeStealer is custom-written in JavaScript and bundles the Node.js environment. We assessed the malware to be of Vietnamese origin and distributed by threat actors from Vietnam…”

Regarding NodeStealer, Meta wrote: “While the file is a Windows executable file (with an exe Extension) it is disguised as a PDF file with a PDF icon. We also observed metadata on the file that attempts to disguise the file as a product of “MicrosoftOffice”. 

The best advice I can give people who are on Facebook is to put a 2FA app (two-factor authentication) on your phone. In addition, be wary of sketchy looking ads that have clickable links in them.