Fake profiles on Facebook offer to view a file containing sexy photos of women. But, this file also contains malware to steal usernames and passwords.
What ruins the dream of some. A slew of fake accounts of women in sensual outfits on Facebook has been created to steal credentials, reveals research by cloud security firm Zscaler, published on January 20, 2023. These profiles contact their victims on Facebook offering to consult a file containing sexy photos. Once downloaded, the album in question contains the promised snapshots, but also malware to steal usernames and passwords. Generally, hackers offer a folder to recover from a Microsoft OneDrive account or from a fraudulent link.
The malware in question here is an info stealer, programmed to search through files and recover specific files: cookies, and identification data.
A photo album containing the malware was uploaded to a Microsoft OneDrive account. // Source: ZScaler
For this, the software focuses on browsers such as Chrome, Firefox, Microsoft Edge, or Brave. “Album Stealer” — the name given to the malware by Zscaler — targets Local State, Login Data, and Cookies files. The Local State location contains keys needed to decrypt web browser data. The program starts by reading the file and recovering the necessary parameters to go further in the infection. File targeting functions allow you to quickly find interesting data and exfiltrate it on external servers. This whole process is carried out discreetly without the knowledge of the victim.
Phishing campaigns from Vietnam
The hackers behind this campaign are Vietnamese, according to the clues spotted by Zscaler. For example, a request to a server received a response in Vietnamese: “Status update successful”.
The status update is in the Vietnamese language. // Source: Zscaler
This campaign bears a significant resemblance to another phishing operation named “Ducktail” carried out by Vietnamese hackers. In August, company employees were tricked by links sent on Facebook and WhatsApp. The criminals were looking to steal credentials from legitimate Facebook Ads accounts to turn them into a scam pages. WithSecure, the company behind the research, had estimated that the losses for the victim companies could amount to 600,000 euros.