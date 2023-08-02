August 02, 2023 04:07 pm | Updated 04:20 pm IST

A new phishing campaign distributing an info-stealer is said to be targeting Facebook business accounts too, according to a report by Palo Alto Networks. The malware, an info-stealer called NodeStealer 2.0, is able to take over business accounts on the social network using malicious links that pose as office tools like spreadsheet templates.

While Meta had reported an older variant in May this year, the new version written in Python is more potent as it can steal cryptocurrency and data from Telegram as well. The discovery is a part of the increasing incidence of phishing attacks on Facebook accounts.

The main phishing campaign for NodeStealer was first identified in December when two malware variants dubbed Variant #1 and Variant #2 were spotted. The attackers used several Facebook pages and users to create posts that lured victims into downloading a link from prominent cloud file storage providers. On clicking the link, a .zip file containing the malicious infostealer .exe files is downloaded.

While Variant #1 of the virus is far more obvious, and gives off several signs of abnormal activity, like shutting down pop-up windows, Variant #2 is more subtle and harder to detect, the cybersecurity firm said in its report. Both variants can hack into credentials of Facebook business accounts by connecting with the Meta Graph API with the victim’s user ID and access token.

The Graph API is the primary mode to extract user data, including details like user verification status, whether the account is prepaid etc., and then transmit it to the command and control server (C2). The phishers also attempt to steal login credentials by scouring through cookies and local databases of commonly used browsers. Variant #2 quietly replaces the user’s own email address with a mail that is controlled by the attacker, locking the user out of their account, and making them vulnerable to financial loss and even reputational damage by posting inappropriate content.

“Online marketing and advertising is a core part of most businesses today. Through Variant #2 of NodeStealer 2.0, cyberattackers can change the linked email address and lock users out indefinitely. This could lead to large-scale financial and reputational damage due to the improper use of account credit or the publishing of inappropriate content. Facebook is a platform saturated with users of a slightly older demographic who may be less tech-savvy, making them easy targets”, said Anil Valluri, MD and VP, India and SAARC, Palo Alto Networks, in the blog post.

Valluri advised companies to thoroughly review their cyber protection policies and go through the indicators of compromise (IoCs) listed by Unit 42 as a preventive measure.