How SilentFade group steals millions from Facebook ad spend accounts

Credit: Dreamstime

Facebook is a magnet for scammers, thieves and other bad actors looking to swindle and manipulate the social media giant’s vast pool of users.

One group discovered by Facebook’s in-house researchers took such a sophisticated approach to bilking Facebook users that it walked away with $4 million in an elaborate ad fraud scheme that went undetected by its victims.

Sachit Karve, speaking both for himself and fellow Facebook security researcher Jennifer Urgilez, offered more details about this scheme at the recent VB 2020 conference. Facebook insiders call the group behind it SilentFade and discovered that it came from a Chinese malware ecosystem that used different types of malware in its cybercrime sprees.

Facebook discovered the malware family near the end of 2018 but traced its origins back to 2016. SilentFade has a keen focus on social media targets. “SilentFade is interesting to us as it explicitly targets users of social networks and more recently services with social components like Amazon,” Karve said.

The name SilentFade comes from “Silently running Facebook ads with exploits.” “The malware is capable of running ads on Facebook, without the user’s knowledge, by exploiting a bug on the platform,” Karve said at the conference.

Facebook first noticed something was wrong when traffic on the platform spiked on December 22, 2018. After digging into the traffic logs, the researchers found that some unknown malware was stealing Facebook cookies and credentials and was exploiting a vulnerability to stay hidden from compromised users.

How SilentFade works

In terms of functionality, SilentFade is slick and complex. It steals Facebook credentials in the form of stored passwords and cookies stored in browsers and recreates basic profile information such as the number of friends a compromised user has, any old pages on the user’s profile, and the amount of money the user has left to spend running Facebook ads. It then checks that the user has a valid credit card or PayPal account linked to their Facebook account.

Like many info-stealers, SilentFade reads the log-in data cache file that Chromium-based browsers use to read saved passwords, Karve said. SilentFade also collects session cookies, which are essentially tokens issued post-authentication, allowing the malware to bypass multi-factor authentication because it already has the token that is issued after a successful login. The malware is then able to successfully make requests to Facebook as an authenticated user.

One key to how the malware works is that it gains access to Facebook’s GraphAPI. It does this by hijacking the ads manager access token in the HTML response of the Facebook Ads Manager page. Once the token is extracted, SilentFade can get a list of all payment methods linked to an account, information about linked credit cards (although no credit card numbers), and the balance in the Facebook ad account.

A set of Facebook-specific binaries minimise the chances of users detecting SilentFade by limiting all notifications from Facebook, whether through SMS, email or push notifications. SilentFade can even disable sound notifications to stay silent.

“The malware authors have spent a lot of time tinkering with Facebook settings long enough to find a vulnerability, which they took advantage of and use the opportunity to exploit,” Karve said. As a consequence, users are not notified of suspicious logins or activity, even when Facebook’s security system detects abnormal behaviour.

Users aren’t able to unblock the notification settings that SilentFade tinkers with and the blocked pages used in the notification process remain in an irreversible state.

To remediate these issues, Facebook added confidence checks to ensure that all blocks are reversible and took a series of other actions such as forcing password resets for affected users, terminating all active sessions of users hit by the exploit and making the login alerts and the business pages unlockable.

Tapping into the underground ad economy

Source link Weight Loss Without Pills

How do you feel about this post?

Add Comment