Millions of Facebook business accounts are under attack by malicious messages sent through Facebook Messenger from a botnet of fake and hijacked personal accounts. The attackers aim to distribute an info-stealing malware that can intercept browsing sessions and account cookies. This alarming campaign is affecting approximately 100,000 Facebook business accounts per week, according to researchers.
The campaign, known as “MrTonyScam,” has been observed by Guardio Labs. The Python-based malware successfully infects around 1.4% of its targets, indicating that approximately one out of every 70 of those reached falls victim to the attack. The research team at Guardio Labs discovered this information and published a blog post detailing their findings on September 11.
The campaign revolves around abusing Facebook’s Messenger platform by bombarding users with malicious attachments, all originating from a swarm of fake and compromised personal accounts. Oleg Zaytsev, a security researcher at Guardio Labs, has expressed concern about the recent surge in threat campaigns targeting Facebook business accounts. These attacks have given rise to a thriving business on Telegram dark markets, where cybercriminals sell hijacked accounts for further illicit activities.
Zaytsev elaborated on the offerings found in these Telegram dark markets, stating that they range from high-value accounts to logs containing hundreds or even thousands of hijacked business accounts. These logs often include advertisement accounts with established reputations, as well as linked payment methods and credits.
The MrTonyScam campaign shares similarities with previous attacks carried out by a Vietnam-based threat actor. The majority of victims affected by this massive campaign are located in North America, Europe, Asia, and Australia. From a technical perspective, the attackers’ messages contain a compressed stealer payload that specifically targets the victims’ installed web browsers. This payload is designed to extract session cookies, which are then sent to the threat actors via instant messaging channels.
Despite requiring some user action, the MrTonyScam campaign has shown an unusually high rate of success. Messages sent by the attackers possess various contents but share similar contexts, allowing them to evade spam detectors that typically scan for mass mailings. Some of the messages complain about policy violations by the target accounts, while others pose questions related to advertised products. This diversity, coupled with the use of different filenames and the inclusion of Unicode characters, ensures that each message appears unique.
The attackers embed relevant links in their messages, enticing recipients to click on them. These links lead to a download of classic stealer payloads, which are often archived with RAR or Zip formats. The malware then employs multiple layers of obfuscation to hide its content. Furthermore, the payload is generated on the fly to evade static detection.
Once executed, the simple yet effective Python script within the payload extracts cookies and login data from the victims’ computers. The stolen information is then sent to a Telegram channel using Telegram’s/Discord bot API, which is a common practice among scammers. The payload also deletes all stolen cookies, thereby locking the victims out of their accounts. This allows the scammers to hijack their sessions, replace their passwords, and prevent them from revoking access or changing passwords.
The MrTonyScam campaign and similar attacks targeting Facebook business users expose the security vulnerabilities present in modern browsers. These vulnerabilities enable threat actors to access easily decrypted passwords and user cookies. Oleg Zaytsev emphasized the need for social media platforms like Facebook to detect account hijacking in real time. He also highlighted the thriving cybercriminal ecosystem on the Dark Web, which continues to attract and facilitate the activities of more threat actors.
To counter these threats, Zaytsev advises users to exercise caution when dealing with messages from unknown sources. Additionally, implementing multiple layers of security detection can help identify and mitigate malicious messages before they reach social media inboxes. Users must remain vigilant and take proactive measures to protect their online accounts and sensitive information.