NodeStealer Malware Hijacking Facebook Business Accounts for Malicious Ads

NodeStealer Malware Hijacking Facebook Business Accounts for Malicious Ads

Compromised Facebook business accounts are being used to run bogus ads that employ “revealing photos of young women” as lures to trick victims into downloading an updated version of a malware called NodeStealer.

“Clicking on ads immediately downloads an archive containing a malicious .exe ‘Photo Album’ file which also drops a second executable written in .NET – this payload is in charge of stealing browser cookies and passwords,” Bitdefender said in a report published this week.

The malware is part of a burgeoning cybercrime ecosystem in Vietnam, where multiple threat actors are leveraging overlapping methods that primarily involve advertising-as-a-vector on Facebook for propagation.

The latest campaign discovered by the Romanian cybersecurity firm is no different in that malicious ads are used as a conduit to compromise users’ Facebook accounts.

Earlier this August, HUMAN disclosed another kind of account takeover attack dubbed Capra aimed at betting platforms by using stolen email addresses to determine registered addresses and sign in to the accounts.

The development comes as Cisco Talos detailed several scams that target users of the Roblox gaming platform with phishing links that aim to capture victims’ credentials and steal Robux, an in-app currency that can be used to purchase upgrades for their avatars or buy special abilities in experiences.

“‘Roblox’ users can be targeted by scammers (known as ‘beamers’ by ‘Roblox’ players) who attempt to steal valuable items or Robux from other players,” security researcher Tiago Pereira said.

It also follows CloudSEK’s discovery of a two-year-long data harvesting campaign occurring in the Middle East via a network of about 3,500 fake domains related to real estate properties in the region with the goal of collecting information about buyers and sellers, and peddling the data on underground forums.