Facebook Shut Down Malware That Hijacked Accounts to Run Ads

Facebook Shut Down Malware That Hijacked Accounts to Run Ads

Usually when you hear about malicious activity on Facebook it's tied up in geopolitical skulduggery of some sort. But on Thursday the company detailed a campaign out of China that wasn't focused on disinformation or stealing account data. The hackers instead stole user credentials and gained access to their accounts toward a different goal: hawking diet pills, sexual health products, and fake designer handbags, shoes, and sunglasses.


Once inside a compromised Facebook user's account, the attackers would use the associated payment method to purchase malicious ads, ultimately draining $4 million from victims during their spree. Facebook first detected the attacks in late 2018 and after extensive investigation the company filed a civil suit against a firm, ILikeAd Media International Company Ltd., and two Chinese nationals that allegedly developed the malware and ran the attacks. Today at the digital Virus Bulletin security conference, Facebook researchers presented a detailed picture of how the malware, dubbed SilentFade, actually works and some of its novel methods, including proactively blocking a user's notifications so the victim wouldn't be aware that anything was amiss.


"We first discovered SilentFade in December 2018 when a suspicious traffic spike across a number of Facebook endpoints indicated a possible malware-based account compromise attack for ad fraud," Facebook malware researcher Sanchit Karve said on a call with reporters ahead of his Virus Bulletin presentation. "SilentFade would steal Facebook credentials and cookies from various browser credential stores. Accounts that had access to a linked payment method would then be used to run ads on Facebook."

Attackers couldn't access actual credit card numbers or payment account details from Facebook, but once inside an account ..