Facebook has revealed a sophisticated scheme by Chinese hackers that stole millions of dollars from users in a matter of months by using malware to hijack user accounts to purchase ads on their behalf.
It is believed the malware operated between late 2018 and February 2019, when Facebook’s security team detected it and shut it down before refunding the victims.
The social media giant revealed full details of the scam at a security conference last week.
The Facebook team named the operation SilentFade (for Silently running Facebook Ads with exploits), but noted its use was probably not limited to Facebook.
RELATED: New tactic to hack your Facebook
RELATED: Disturbing item selling on Facebook
It’s believed the SilentFade hackers began the specific operations in the report towards the end of 2018, but had also been active on the platform for several years.
The scam was sophisticated and involved multiple steps.
First, it used a Windows trojan horse piece of malware to infect computers, then hijacked their web browsers to access saved passwords and cookies.
Cookies are the little bits of code that keep you logged into your favourite websites by creating “session tokens” after you login, and these tokens are more valued than passwords because they can get around multi-factor authentication protocols – like a code texted to your phone – that sites like Facebook use to secure accounts.
The hackers then used these passwords and cookies to trawl through Facebook accounts, looking for ones that had payment methods attached to pay for advertising.
When it found them it used those accounts to purchase ads, predominantly for pharmaceuticals.
They used fake celebrity endorsements to lure in eyeballs and shortened links to obscure the website that people who clicked on it would end up at.
Despite only operating a few months Facebook said the specific scam managed to buy more than $US4 million ($A5.6 million) worth of ads in the period before they were detected.
A subsequent investigation later found the group and its malware may have been wreaking havoc on the site since 2016.
Facebook even traced their operations to a Chinese company that it filed to sue in December, along with two developers.
“All successful malware campaigns require a medium for proliferation,” a paper authored by Facebook security engineer Sanchit Karve and security analyst Jennifer Urgilez disclosing the scam read.
“Most of these threats simply used social networks to spread and did not depend on them for monetisation. However, a new group has appeared on the cybercrime scene whose sole objective is to target users of social networking services for ad fraud, sales of counterfeit goods, pharmaceutical pills, and fraudulent product reviews,” the pair warned.
Tenable research engineer Satnam Narang said SilentFade showed the “enormous value” social media platforms provide to scammers.
“Cybercriminals have found a more direct way to capitalise on the popularity of social media by using the same microtargeting tools found in advertising platforms used by legitimate businesses.
“One would think that dubious advertisement could be quickly detected and deleted but, in reality, cybercriminals have pivoted their tactics to evade detection.
“By compromising legitimate Facebook accounts instead of creating fake ones, they’re providing themselves a layer of obfuscation from moderators in order to conduct their fraudulent activities,” Mr Narang said.