Cyberattack spreads malware via Facebook ads in Europe

Bitdefender Labs has identified a series of malvertising campaigns spreading malware through fake advertisements on popular platforms in 2024.

These malicious campaigns target users by masquerading as legitimate apps or updates, with one such campaign recently discovered involving a fake Bitwarden extension advertised on Facebook. Users are tricked into installing a harmful browser extension falsely presented as a security update.

Bitdefender Labs' findings indicate these attackers utilise Facebook's advertising platform to deploy seemingly legitimate advertisements that redirect users to malicious websites. This campaign specifically impersonates Bitwarden, a well-known password manager, attempting to instil a false sense of urgency in users to install a sham "security update."

The campaign, which began on 3 November 2024, targets individuals aged 18 to 65 across Europe. Thousands of users have already been exposed to the malicious ads, which could potentially expand globally if not contained, risking users worldwide.

Users who engage with these ads are led through multiple redirects, ultimately landing on a phishing site designed to resemble the official Chrome Web Store, further concealing the ad's malicious intent. The malware is designed to collect personal data and targets business accounts on Facebook, posing potential financial risks to both individuals and businesses.

This campaign highlights the ongoing threat of cybercriminals exploiting trusted platforms like Facebook. By appearing as a reliable tool and mimicking urgent update messages, attackers gain access to valuable personal and business data.

The attack initiates with deceptive Facebook ads claiming users' passwords are at risk, urging an update to the Bitwarden browser extension. The ad, deceitfully branded and urgent in its messaging, directs users to a counterfeit webpage imitating the Chrome Web Store. Here, users are guided through sideloading a malicious extension via a Google Drive link.

Once installed, the extension seeks extensive permissions, allowing it to intercept and alter users' online activities. The extension's manifest file, examined by Bitdefender, reveals permissions to access websites, modify network requests, and interact with storage and cookies.

The service-worker-loader.js script within the extension initiates background.js, a crucial component of the attack. Additionally, popup.js, an obfuscated script, operates when users interact with the extension's browser icon, enabling it to access Facebook cookies and manipulate webpage elements.

The background.js script activates once installed, prompting the collection and exfiltration of data. The script checks for Facebook cookies upon installation, collects IP and location data, and extracts user information via the Facebook Graph API. The gathered data, including personal and business account details, is sent to a Google Script URL, serving as the attackers' command-and-control server.

Effective detection and mitigation of this attack involve monitoring suspicious permissions and identifying behavioural signatures that indicate potential compromise. This is particularly challenging due to the attack's reliance on platforms like Facebook and Google Drive.

To mitigate such risks, users are advised to update extensions directly through official browser stores, examine the legitimacy of ads and links, scrutinise extension permissions, and enable browser security features like disabling Developer Mode.

Campaigns like these underscore the importance of employing reliable security solutions. Bitdefender recommends using tools such as Bitdefender Total Security for enhanced protection against malvertising and phishing attacks. Additionally, Bitdefender Scamio provides a free on-demand service to detect and prevent scam-related activities across various platforms, including Facebook Messenger, WhatsApp, and Discord.