In the fall of 2020, Facebook detailed a rare cybercrime campaign out of China that wasn’t focused on disinformation or stealing account data. These hackers stole Facebook user credentials to gain access to their victims’ accounts for a completely different purpose. The hacker group that came to be known as SilentFade looked to promote diet pills, sexual health products, and fake designer handbags, shoes, and sunglasses.
Once the Facebook user’s account was compromised, attackers would use the victim’s payment method to purchase malicious ads, and ultimately stole $4 million from victims during their crime spree. Facebook initially detected the attacks late in 2018, and after an investigation, filed a civil suit against a firm, ILikeAd Media International Company Ltd., and two Chinese nationals that allegedly developed the malware and ran the attacks.
“We first discovered SilentFade in December 2018 when a suspicious traffic spike across a number of Facebook end points indicated a possible malware-based account compromise attack for ad fraud,” Facebook malware researcher Sanchit Karve said on a Conference Call with Reporters. “SilentFade would steal Facebook credentials and cookies from various browser credential stores. Accounts that had access to a linked payment method would then be used to run ads on Facebook.”
Despite only a short run of a few months, Facebook said the hackers managed to purchase more than $4 million worth of ads. A Facebook investigation later found the group and its malware may have been operational since 2016.
“All successful malware campaigns require a medium for proliferation,” according to a paper regarding the scam authored by Facebook security engineer Sanchit Karve and security analyst Jennifer Urgilez. “Most of these threats simply used social networks to spread and did not depend on them for monetisation. However, a new group has appeared on the cybercrime scene whose sole objective is to target users of social networking services for ad fraud, sales of counterfeit goods, pharmaceutical pills, and fraudulent product reviews,” the pair warned.
The attackers couldn’t access complete credit card numbers or payment account details from Facebook. Still, once they compromised an account, they could use the payment method Facebook had on file to buy ads. Facebook eventually had to reimburse victims to the tune of $4 million.
SilentFade was generally distributed in a bundle with pirated copies of name-brand software. Once downloaded, the malware would look for special Facebook cookies in the victim’s web browser. These cookies are valuable to hackers because they hold “session tokens” generated after a user logs in with their username, password, and any two-factor authentication inputs.
Attackers even set up their systems to appear to be in the same region that the victim was in whenever they generated their session token. This way, Facebook would believe that the activity was just a normal login from the user and not suspicious activity.
Ad fraud is becoming a bigger problem on social media platforms, but it was surprising to see this kind of compromise happen on Facebook. Given the depth of access hackers achieved, victims and Facebook were lucky that the cost of damages weren’t exponentially higher.
If you are still having trouble, consider contacting remote technical support options.
