SilentFade: At the Virus Bulletin security conference, researchers from Facebook’s security team outlined an attack they witnessed, and eventually stopped, targeting users on the social media platform. The attack campaign was carried out by a group known by Facebook as SilentFade and was active between late 2018 and February 2019. Through the use of a Windows Trojan, the group would target Facebook users in an attempt to hijack passwords and browser cookies. From there, the threat actor would exploit a bug they found on Facebook with clever scripting that bypassed security controls and with the stolen credentials, access the victim’s Facebook account. The main goal of the attack was to search for accounts that had any type of payment method saved on the account. Whenever accounts with payment details were found, the group would buy advertisements on Facebook using the stolen funds to infect others on Facebook through their fake ads. The group managed to steal $4 million USD from Facebook users, which was refunded to all victims by Facebook. After receiving reports of suspicious activity, Facebook began their investigation and stopped the attacks from being possible in the future. During their investigation, the researchers discovered previous malware strains dating back to 2016 from the group. They were also able to track the operations to a Chinese software company and two specific developers, which were sued by Facebook in 2019.
According to Facebook “Not a lot is known about this malware as it is primarily driven by downloaded configuration files, but we believe it was used for click fraud – thus CPA, in this case, refers to Cost Per Action – through a victim install-base in China.” The group abandoned its original SuperCPA malware in 2017 and picked up the development of this most recent malware in 2018. To initially spread the most recent version of the malware, SilentFade would bundle the malware with legitimate software distributed by the Chinese company. The two developers from the Chinese companies would post ads on various forums where they were willing to buy web traffic from hacked websites and have the traffic redirected towards web pages that hosted the SilentFade-infected software bundles. From there, the group managed to gain access to Facebook accounts, where they could use the stolen money from accounts to infect other users directly on Facebook.
Analyst Notes
This attack campaign would take advantage of users who were clicking on random advertisements, and while this is common, the best practice is to go directly to the website of what is being advertised instead of clicking on the ad. Many threat actors will use ads as a way to begin infection on a machine. It is also a good practice not to store payment information on any browser or account, and manually enter it every time something needs to be purchased. Storing passwords in browsers is another common practice by many that threat actors have continued to target because many times, the user will not even be alerted that their password was stolen.
More information can be read here along with an analysis of the Facebook bug that was used in the attack: https://www.zdnet.com/google-amp/article/how-a-chinese-malware-gang-defrauded-facebook-users-of-4-million/
