Usually when you hear about malicious activity on Facebook it’s tied up in geopolitical skulduggery of some sort. But on Thursday the company detailed a campaign out of China that wasn’t focused on disinformation or stealing account data. The hackers instead stole user credentials and gained access to their accounts toward a different goal: hawking diet pills, sexual health products, and fake designer handbags, shoes, and sunglasses.
Once inside a compromised Facebook user’s account, the attackers would use the associated payment method to purchase malicious ads, ultimately draining $4 million from victims during their spree. Facebook first detected the attacks in late 2018 and after extensive investigation the company filed a civil suit against a firm, ILikeAd Media International Company Ltd., and two Chinese nationals that allegedly developed the malware and ran the attacks. Today at the digital Virus Bulletin security conference, Facebook researchers presented a detailed picture of how the malware, dubbed SilentFade, actually works and some of its novel methods, including proactively blocking a user’s notifications so the victim wouldn’t be aware that anything was amiss.
“We first discovered SilentFade in December 2018 when a suspicious traffic spike across a number of Facebook endpoints indicated a possible malware-based account compromise attack for ad fraud,” Facebook malware researcher Sanchit Karve said on a call with reporters ahead of his Virus Bulletin presentation. “SilentFade would steal Facebook credentials and cookies from various browser credential stores. Accounts that had access to a linked payment method would then be used to run ads on Facebook.”
Attackers couldn’t access actual credit card numbers or payment account details from Facebook, but once inside an account they could use whatever payment method Facebook had on file, if any, to buy ads. Facebook later reimbursed an unspecified number of users for the $4 million in fraudulent ad charges.
SilentFade was often distributed by bundling it in with pirated copies of name-brand software; when a victim downloaded the program they wanted, their device would also be infected with SilentFade. From there the malware would look for special Facebook cookies in Chrome, Firefox, and other popular browsers. These cookies were valuable to the attackers, because they contain “session tokens” that are generated after a user logs in with their username, password, and any required two-factor authentication inputs. If you can grab a session token, you get an easy way to waltz into someone’s Facebook account without needing anything else. If the malware couldn’t find the right cookies, it would directly collect a user’s Facebook login credentials, but would still need to decrypt them.
The attackers would even set up their systems to appear to be in the same general region that the victim was in when they generated their session token. This way Facebook would think the activity was just a normal login from the user going about their day and not suspicious activity from a different region.
SilentFade had other sneaky tactics, too. It proactively turned off Facebook notifications on a victim’s account so that they wouldn’t be warned about a new login or see alerts or messages about ad campaigns being run from their accounts. And it even exploited a vulnerability in Facebook’s validation mechanisms to make it impossible for users to turn their “Login Alerts” and “Facebook Business pages” notifications back on. Facebook says it worked quickly to patch the bug and stop this novel persistence method.
In addition to all of these tricks, the attackers also used obfuscation techniques on the ad network side to mask the true content of their ads by submitting different materials and source websites for review than what they later slotted into the ads that ran.
“They used a variety of cloaking mechanisms and traffic redirection to hide their traces,” said Rob Leathern, Facebook’s director of product management. “These cloaking techniques are ones that camouflage the true intended landing page website by dynamically changing them during and after the ad review process so they show different sites to users than they do to our ad review process. The content of the ads often featured celebrities as a tactic to garner attention. Internally this is something we call ‘celeb-bait,’ and it’s an issue that has dogged the online ad industry for well over a decade.”
