Facebook has recently shared its findings regarding a long-running ad fraud campaign. The ad fraud still continues leveraging the SilentFade malware that steals Facebook credentials and cookies.
SilentFade Malware Ad Fraud On Facebook
In a recent talk at the Virus Bulletin 2020 Conference, researchers from Facebook shed light on SilentFade malware ad fraud.
Elaborating the details in a white paper, the officials revealed that the malware ‘Silently running Facebook ADs with Exploits’ (abbreviated as SilentFade) kept targeting the Facebook platform since 2016.
The malware didn’t exist in the Facebook environment. Rather it targeted Facebook users by first reaching their devices as a bundled program with pirated software or apps. Once installed, the malware would then steal Facebook users’ credentials and browser cookies.
Also, they would extract details via metadata using the Facebook Graph API and store it in a C2 server. This connection with C2 also logged the victim’s IP address for geolocation.
As stated in the paper,
This was crucial as the attackers intentionally used the stolen credentials from the same or a nearby city to the infected machine to appear as though the original account owner has travelled within their city.
After that, the attackers would execute the ad fraud campaign by generating malicious apps via the victim’s accounts.
Although, for the attackers, accounts with integrated payment methods were more lucrative. Nonetheless, if the attackers found no payment method or a linked page, they would create pages and use stolen payment data to run ads on Facebook via the compromised accounts.
Though, Facebook clarified that the payment data remained unexposed.
It should be noted that payment information details (such as bank account and credit card numbers) were never exposed to the attackers, as Facebook does not make them visible through the desktop website or the Graph API.
Stealth Activities By Malware
Apart from running the ad fraud campaign, the malware also exhibited stealth functionalities for persistence.
For instance, it would turn off the settings on the victim account to receive activity alerts. In fact, it would entirely disable notifications across all devices, including alerts for admin-ed pages.
Also, it would block the “Facebook Login Alerts” and “Facebook for Business” pages so that the user won’t receive any alerts via the Messenger.
To persist with these ‘silent’ activities, the malware exploited a server-side vulnerability in Facebook. Hence, even if the user of the victim account attempted to unblock the blocked page, they wouldn’t succeed.
SilentFade had another trick up its sleeve to ensure that the blocks were more permanent. It likely involved confirming if client-side sanity checks were performed on the server-side. The authors discovered that the confidence checks performed by the account-blocking web UI were incomplete in the server-side code, which was subsequently exploited by SilentFade. This bug allowed SilentFade to block both the Login Alerts and Facebook Business pages and ensured that users could not unblock the pages even if they tried. This caused both pages to remain ‘unblockable’
Facebook later caught and fixed thig bug.
The researchers could establish a link between the malware campaign and the Chinese cybercriminal ecosystem. Some other malware campaigns of this ecosystem, StressPaint, FacebookRobot, and Scranos are still ongoing.
Facebook stressed on increased user awareness and stronger coordination within the cybersecurity community to combat such threats.