Saturday, 03 October 2020 05:22

How a Chinese malware gang defrauded Facebook users of $4m

Rate this item
(0 votes)

SilentFade group utilized a Windows trojan, browser injections, clever scripting, and a Facebook platform bug to buy and post ads on behalf of hacked users.

At the Virus Bulletin 2020 security conference today, members of the Facebook security team have disclosed more details about one of the most sophisticated malware operations that has ever targeted Facebook users.

Known internally at Facebook as SilentFade, this malware gang was active between late 2018 and February 2019, when Facebook's security team detected their presence and intervened to stop their attacks.

SilentFade utilized a combination of a Windows trojan, browser injections, clever scripting, and a bug in the Facebook platform, showing a sophisticated modus operandi rarely seen with malware gangs targeting Facebook's platform.

The purpose of SilentFade's operations was to infect users with the trojan, hijack the users' browsers, and steal passwords and browser cookies so they could access Facebook accounts.

Once they had access, the group searched for accounts that had any type of payment method attached to their profile. For these accounts, SilentFade bought Facebook ads with the victim's funds.

Despite operating only for a few months, Facebook said the group managed to defraud infected users of more than $4 million, which they used to post malicious Facebook ads across the social network.

The ads, which usually appeared in the geographical location of the infected user, to limit their exposure, used a similar template.

They used URL shorteners and images of celebrities to lure users on sites selling shady products, such as weight loss products, keto pills, and more.

Facebook discovered SilentFade's operations in February 2019, following reports from users of suspicious activities and illegal transactions originating from their accounts.

During the subsequent investigation, Facebook said it found the group's malware, previous malware strains, and campaigns dating back to 2016, and even tracked down the gang's operations to a Chinese company and two developers, which the company sued in December 2019.

SilentFade's beginnings

According to Facebook, the SilentFade gang began operating in 2016, when it first developed a malware strain named SuperCPA, primarily focused on Chinese users.

"Not a lot is known about this malware as it isprimarily driven by downloaded configuration files, but we believe it was used for click fraud – thus CPA in this case refers to Cost Per Action – through a victim install-base in China," Facebook's Sanchit Karve and Jennifer Urgilez wrote in their SilentFade report.

But Facebook says the group abandoned the SuperCPA malware in 2017 when they developed the first iteration of the SilentFade malware. This early version infected browsers to steal credentials for Facebook and Twitter accounts, with a focus on verified and high-follower profiles.

But development on SilentFade picked up in 2018 when its most dangerous version and the one used in the 2018 and 2019 attacks came to be.

How SilentFade spread online

Karve and Urgilez say the gang spread the modern version of SilentFade by bundling it with legitimate software they offered for download online. Facebook said it found ads by the two SilentFade developers posted on hacking forums where they were willing to buy web traffic from hacked sites or other sources, and have this traffic redirected towards the pages hosting the SilentFade-infected software bundles.

Once users got infected, SilentFade's trojan would take control over a victim's Windows computer, but rather than abuse the system for more intrusive operations, it only replaced legitimate DLL files inside browser installations with malicious versions of the same DLL that allowed the SilentFade gang to control the browser.

Targeted browsers included Chrome, Firefox, Internet Explorer, Opera, Edge, Orbitum, Amigo, Touch, Kometa, and the Yandex Browser.

The malicious DLLs stole credentials stored in the browser, but, more importantly, browser session cookies.

SilentFade then used the Facebook session cookie to gain access to the victim's Facebook account without needing to provide neither credentials nor a 2FA token, passing as a legitimate and already-authenticated account holder.

The Facebook platform bug

Here is where SilentFade showed its true sophistication.

Facebook said the malware used clever scripting to disable many of the social network's security features, and even discovered and used a bug  in its platform to prevent users from re-enabling the disabled features.

Karve and Urgilez said that in order to prevent users from finding out that someone might have accessed their account or was posting ads on their behalf, the SilentFade gang used its control over the browser to access the user's Facebook settings section and disable:

  • Site notifications
  • Chat notification sounds
  • SMS notifications
  • Email notifications of any kind
  • Page-related notifications.

But SilentFade didn't stop here. Knowing that Facebook's security systems might detect suspicious activity and logins and notify the user via a private message, the SilentFade gang also blocked the Facebook for Business and Facebook Login Alerts accounts that sent these private messages in the first place.

The SilentFade group then searched for a bug in the Facebook platform and abused it every time the user tried to unblock the accounts, triggering an error and preventing the users from remove the two account bans.

"This was the first time we observed malware actively changing notification settings, blocking pages, and exploiting a bug in the blocking subsystem to maintain persistence in a compromised account," Facebook said.

"The exploitation of this notification-related bug, however, became a silver lining that helped us to detect compromised accounts, measure the scale of SilentFade infections, and map abuse originating from user accounts to the malware responsible for the initial account compromise."

Facebook refunded all users

Facebook said it patched the platform bug, reverted the malware's notification-blocking actions, and refunded all users whose accounts were abused to buy malicious Facebook ads.

The company also didn't stop here, and throughout 2019 tracked down the malware and its creators all across the web. Clues were found in a GitHub account that apparently was hosting many of the libraries used to build the SilentFade malware.

Facebook tracked down this account and the SilentFade malware to ILikeAd Media International Company Ltd., a Hong Kong-based software company founded in 2016, and Chen Xiao Cong and Huang Tao, the two men behind it. Facebook sued the company and the two devs in December 2019 in a legal case that is still ongoing.

Facebook also said SilentFade was part of a larger trend and a new generation of cybercrime actors that appear to reside in China and have persistently targeted its platform and its juicy 2-billion userbase.

 

ZDNet

 

December 23, 2024

Investors on NGX gain over N1trn in 5 days

The Nigerian Exchange Limited (NGX) posted strong gains last week, with investors adding more than…
December 20, 2024

Atiku questions alleged hack of NBS website, says timing suspicious

Former Vice President Atiku Abubakar has raised concerns over the recent claim that the website…
December 22, 2024

How to know if your memory lapses are serious or not

The older I get, the more panicked I become when something slips my mind. Is…
December 21, 2024

‘Professional Back-Scratchers’ charge up to $130 per hour

The Scratcher Girls is an unconventional relaxation therapy studio that charges clients up to $130…
December 21, 2024

NAFDAC busts illegal rice repackaging operations in Nasarawa, Abuja

The National Agency for Food and Drug Administration and Control (NAFDAC) has cracked down on…
December 23, 2024

Here’s the latest as Israel-Hamas war enters Day 444

Israel's Netanyahu eyes Iran after triumphs over Hamas, Hezbollah, Syria 2025 will be a year…
December 20, 2024

OpenAI launches voice and text access to ChatGPT through new phone service

OpenAI has introduced a novel way to interact with its popular ChatGPT artificial intelligence system…
December 17, 2024

Ademola Lookman named 2024 CAF Men’s Player of the year. These players won in other…

Ademola Lookman, the Super Eagles winger, was crowned the 2024 CAF Men’s Player of the…

NEWSSCROLL TEAM: 'Sina Kawonise: Publisher/Editor-in-Chief; Prof Wale Are Olaitan: Editorial Consultant; Femi Kawonise: Head, Production & Administration; Afolabi Ajibola: IT Manager;
Contact Us: [email protected] Tel/WhatsApp: +234 811 395 4049

Copyright © 2015 - 2024 NewsScroll. All rights reserved.