Facebook is currently facing a surge in malware ads that are impersonating well-known tech brands, including Google. Meta, the parent company of Facebook, has responded swiftly to this issue by implementing new security measures. In May 2023, Meta published a security report highlighting the latest malware threats targeting Facebook users. The report revealed that long-running malware families like Ducktail and NodeStealer were leading the attack on the Facebook ad system, taking advantage of the emergence of AI and ChatGPT.
The main strategy employed by bad actors involves hacking verified Facebook pages and renaming them to resemble trustworthy brands such as Facebook, Meta, Google AI, and Bard. These rebranded pages, complete with verified checkmarks, are then used to run ads that contain links to malware.
In their security report, Meta claimed to have disrupted malware operations through rapid adversarial adaptation. However, a recent report by Group-IB indicated that over 3,200 Facebook pages and profiles had been compromised to impersonate tech brands associated with AI, ChatGPT, and Bard. After a period of decreased activity, these malware groups are once again wreaking havoc on the social media platform.
Unlike before, the current wave of malware ads is being served through non-verified Facebook pages that have been compromised. Among the ads discovered is a group posing as Google, offering links to a download site hosted on the Google Sites platform. The download site includes a Dropbox-hosted direct download hotlink, leading to the actual 4.26 MB Malware RAR file.
While the RAR file is password-protected as mentioned on the website, some browsers like Chrome can detect the malware during download and block it before it can harm the device. Unfortunately, Windows Defender failed to detect the malware, even when the installer was running.
To combat the rise of such malware attacks and increase user awareness, Facebook has added a Page transparency feature to all pages. This feature displays the history of any name changes a page has undergone, as well as its country of origin and other pertinent details. Two pages that were recently hacked, গাছগাছালি and SONAX Bangladesh, were renamed to AI Marketing on July 19th and 27th, 2023, respectively. These pages are still active, and the links to the malware are currently functional on Dropbox. Therefore, it is crucial to exercise caution when downloading files offered by seemingly verified pages on Facebook. Users can check a Facebook page’s About section for information on its history and any name changes. Simply adding /about to any Facebook company page URL in the address bar allows easy access to this information.
In conclusion, Facebook is facing a surge in malware ads that impersonate reputable tech brands, including Google. Meta has responded to this issue by implementing new security measures, although bad actors continue to compromise non-verified Facebook pages for the distribution of malware ads. To protect users, Facebook has introduced the Page transparency feature, providing details about a page’s history and name changes. It is important to exercise caution when downloading files offered by seemingly verified pages on Facebook, as the threat of malware remains persistent.
