In the world of cybercrime, the only constant is change as cybercriminals continually invent new and more sophisticated ways to spread malware and bypass security controls. One new cyber threat which has recently emerged is Malverposting which uses the power of social media ads to spread malware. In this article, we will go over one campaign that has been active for months infecting over half a million users worldwide. The key factor that contributed to the success of this campaign was how the threat actor misused social media, specifically Facebook Ads to propagate his attack.
How Malverposting works
Social Media platforms like Facebook and Twitter might have billions of users connected at any given time, a fact of which cybercriminals are well aware. To exploit this massive user base, they have started using paid social media ads to spread malware, greatly expanding the reach of such malicious attacks. Instead of passively waiting for a user to visit a link or click on an attachment, Facebook ads can be shown to billions of users, increasing the blast radius of such attacks. This attack, “Malverposting” abuses the trust that users place on these platforms and works by showing them ads on their social media feeds and downloading malicious attachments once the ads are clicked. The cost of running such ads is quickly recouped by the additional victims the attackers can compromise.
The Vietnamese Malverposting Campaign
A recent campaign that used Malverposting to devastating effect was by a Vietnamese threat actor active on the FaceBook platform. The actor comprised nearly half a million users by flooding users’ FaceBook feeds with clickbaity ads. This was done by creating new business profiles or compromising existing ones that might have an existing user base or ad demographic in place.
Once the user clicks on the ad, they are social engineering into downloading malicious attachments that infect their devices and give the attacker access to carry out his malicious actions, such as stealing personal information. As is evident, it is not the infection part which is new but the mass delivery method which has resulted in this attack spreading to over 500,000 devices worldwide. Even tech-savvy users do not look at FaceBook ads with the same suspicion as they would a standard phishing email and have a certain amount of trust in the social media platform. It is this very trust that has allowed the attack to succeed in such a short amount of time.
It is not just users who are impacted but the business users whose profiles, the threat actor has compromised. Due to the malicious campaign committed using their profiles, their reputation can be seriously impacted, and their ad accounts potentially banned from the platform. Businesses can spend years building up their reputation only to have it lost within a matter of days because of Malverposting.
Why Malverposting is so dangerous
Success leads to imitation, and cybercriminals have undoubtedly noticed this recent campaign’s scale and success. The ability to quickly scale and automate a malware campaign using Facebook ads is very attractive. Cybercriminals are more than happy to make the initial investment, given the returns they can see in the future. Facebook is a massively popular platform with users across the globe, and Cybercriminals can use the analytics features to refine ads further and target more specific demographics.
The malware used in the attack is also quite advanced and can evade traditional endpoint defenses. It employs advanced techniques used by Advanced Persistent Threats (APT), with new variants being put out frequently, making the job of cybersecurity professionals even harder.
How to mitigate the risk of Malverposting
Malverposting is a unique threat in how it misuses the trust of social media platforms and the power of FaceBook ads. Users cannot rely on FaceBook to detect every malicious campaign that will be used on their platform and thus must educate themselves about this new type of attack. The sophisticated nature of the malware used in the attack also requires users and companies to put in place controls like Adblockers and advanced anti-malware controls for early detection.
Social Media users should be careful not to click on every ad on their social media feed and verify the links before visiting them. Cybersecurity professionals should add this new threat to their security awareness campaigns if employees use social media from their corporate devices and educate them on identifying such scams.
Conclusion
Malverposting will not go away anytime soon, and the recent success of the Vietnamese campaign means more cybercriminals will be rushing to adopt this technique. Awareness is critical, and if a particular ad on FaceBook or Twitter promises something too good to be true, it probably is!
Verify the business or source behind these ads and ensure all the devices you access social media from have the appropriate technical controls in place. Social media is no longer a safe haven from malware, and cybersecurity professionals and users must wake up to this new reality.
FREQUENTLY ASKED QUESTIONS
What is Malverposting?
Malverposting is a new form of cyber threat that uses promoted social media posts to spread malicious software and other security threats. This tactic exploits social platforms’ vast reach and reputation to target and deliver harmful content directly to user screens.
What is a notable example of a Malverposting campaign
A significant Malverposting campaign linked to a Vietnamese threat actor has been running for several months. This campaign uses resilient deployment techniques and has propagated through the abuse of Facebook’s Ads service, leading to over 500,000 infections worldwide so far.
How does this Vietnamese Malverposting campaign work?
The threat actor creates new business profiles or hijacks existing ones, bombarding Facebook feeds with malicious click-bait posts. Clicking on these posts leads to a malicious ZIP file download. Once a user extracts this file, it initiates an infection process that steals session cookies, account information, crypto wallets, and more.
How can we combat Malverposting and similar threats?
To combat Malverposting and similar threats, cybersecurity measures need to evolve alongside the tactics used by threat actors. This involves a broader approach considering the misuse of legitimate platforms like social media and ad networks.