“Cybercriminals use massive ‘phishing’ campaign to send accounts via Messenger” | Daily menu

Cybercriminals launched a large-scale campaign last month against Facebook business accounts, using the Messenger platform, through which they send messages about… Violation of service policies and links to infected archives Which includes a “script” capable of obtaining “cookies” and passwords.

This group of attackers, based in Vietnam, was able to infiltrate thousands of companies and organizations through the Facebook messaging service using the “phishing” technique, as confirmed by Guardio Labs. And in the past 30 days, it has been mainly targeted North America, Europe and Oceania.

These cybersecurity experts assert that the attack flow “is a combination of technologies, misuse of open and free platforms, as well as… Many methods of obfuscation and concealment“, according to the report detailing his operation.

To implement these campaigns, cybercriminals send a message containing a “url” via Messenger to company and business owners’ accounts. These links encourage them to click on malicious attachments.

Guardio Labs points out that although the contents of these messages differ, “Everyone seems to share the same context.” It must be related to questions related to a product advertised in the commercial account or to complaints directed to the page claiming violation of platform policies.

Differences in code

So that no one notices, cybercriminals send each message with a series of variations, both in text and subject, as well as different file names, with Unicode characters added to some words. This way, they avoid being detected by “anti-spam” solutions.

The malicious payload (project.py) is recorded in RAR or ZIP formats, and contains a single file inside it. One of the “scripts” discovered by Guardio Labs Show the batch system, i.e. it is executed line by line. This in turn acts as a “dropper”, a type of “malware” that includes an executable file.

This way, the first file downloads another ZIP file, usually hosted on a free source platform like GitHub or GitLab. The latter contains another batch script that runs directly and has a specific encryption.

Specifically, the text file is encoded at the beginning and end in UTF-16LE, while the vast majority of characters are in ASCII. According to analysts, this is a “clever trick to hide the batch content” from automated scanners, preventing the scope of the attack from being limited.

Thus, since it is a batch script, all lines of code, both benign and malicious, are executed. Which uses the Python environment to collect “cookies” Login details, with names and passwords stored in the victims’ browser.

Once the information is recorded, it is sent together to a Telegram or Discord channel using the “bot” API for these communication platforms.

In addition to stealing them, the malicious script deletes all cookies, an action that results in victims being kicked out of their accounts. At this point, cybercriminals hijack your login information and replace passwords to gain access.

The cybersecurity company noted that cybercriminals have an “army of bots and fake accounts,” as well as a list of millions of accounts and pages run by companies, allowing them to send more than 100,000 phishing messages worldwide every week.

What’s more, according to their statistics, of the company’s total Facebook accounts, at least 7 percent received these infected connections in the last 30 days, and about 0.4 percent of them downloaded the attached malicious file, so 1 out of 250 accounts was eventually infected.

Oleg Zaitsev, a cybersecurity researcher at Guardio, also points out that the success rate of this campaign is one in 70 infected accounts, knowing that for credentials and account theft, users still have to run the downloaded file.