Since July last year, a plethora of Infostealers and phishing campaigns have been targeted at Meta business accounts.

Around July 2022, with the discovery of the Ducktail infostealer, threat actors started a trend of targeting Facebook business accounts for advertising fraud and other purposes.

Using lures such as free spreadsheet templates for business, the threat actors, suspected to be of Vietnamese origin, phished for login credentials and then took over Facebook business accounts. Later in March 2023, FakeGPT, a new variant of a fake ChatGPT Chrome extension that steals Facebook Ad accounts, was reported.

In May this year, Meta reported of new information-stealing malware named NodeStealer thatallowed threat actors to steal browser cookies to hijack accounts on the platform, specifically targeted at business accounts.

Now, researchers from Palo Alto Networks Unit 42 have brought to light an earlier phishing campaign that started around December 2022 that had not been reported widely. Sharing multiple similarities with the NodeStealer variant that Meta had reported, the December campaign involved two variants with additional features such as cryptocurrency stealing capabilities, downloader capabilities and the ability to fully take over Facebook business accounts.

According to the Vicky Ray, Director, Unit 42 Cyber Consulting & Threat Intelligence, Palo Alto Networks (Asia Pacific & Japan):

While this specific campaign is no longer active, there are indications that the threat actors behind it may continue to use and evolve NodeStealer or use similar techniques to continue targeting Facebook business accounts. It is also possible that there may be ongoing effects for previously compromised organizations.

Facebook business account owners are encouraged to use strong passwords and enable multifactor authentication. Take the time to provide education to staff on signs of phishing tactics, especially modern, targeted approaches that play off current events, business needs and other trending topics.