Usually when you hear about malicious activity on Facebook it's tied up in geopolitical skulduggery of some sort. But on Thursday the company detailed a campaign out of China that wasn't focused on disinformation or stealing account data. The hackers instead stole user credentials and gained access to their accounts toward a different goal: hawking diet pills, sexual health products, and fake designer handbags, shoes, and sunglasses.
Once inside a compromised Facebook user's account, the attackers would use the associated payment method to purchase malicious ads, ultimately draining $4 million from victims during their spree. Facebook first detected the attacks in late 2018, and after extensive investigation the company filed a civil suit against a firm, ILikeAd Media International Company Ltd., and two Chinese nationals that allegedly developed the malware and ran the attacks. Today at the digital Virus Bulletin security conference, Facebook researchers presented a detailed picture of how the malware, dubbed SilentFade, actually works and some of its novel methods, including proactively blocking a user's notifications so the victim wouldn't be aware that anything was amiss.
"We first discovered SilentFade in December 2018 when a suspicious traffic spike across a number of Facebook end points indicated a possible malware-based account compromise attack for ad fraud," Facebook malware researcher Sanchit Karve said on a call with reporters ahead of his Virus Bulletin presentation. "SilentFade would steal Facebook credentials and cookies from various browser credential stores. Accounts that had access to a linked payment method would then be used to run ads on Facebook."
The attackers couldn't access actual credit card numbers or payment account details from Facebook, but once inside an account they could use whatever payment method Facebook had on file, if any, to buy ads. Facebook later reimbursed an unspecified number of users for the $4 million in fraudulent ad charges.
SilentFade was often distributed by bundling it in with pirated copies of name-brand software; when a victim downloaded the program they wanted, their device would also be infected with SilentFade. From there the malware would look for special Facebook cookies in Chrome, Firefox, and other popular browsers. These cookies were valuable to the attackers, because they contain "session tokens" that are generated after a user logs in with their username, password, and any required two-factor authentication inputs. If you can grab a session token, you get an easy way to waltz into someone's Facebook account without needing anything else. If the malware couldn't find the right cookies, it would directly collect a user's Facebook login credentials, but would still need to decrypt them.
The attackers would even set up their systems to appear to be in the same general region that the victim was in when they generated their session token. This way Facebook would think the activity was just a normal login from the user going about their day and not suspicious activity from a different region.
SilentFade had other sneaky tactics too. It proactively turned off Facebook notifications on a victim's account so they wouldn't be warned about a new login or see alerts or messages about ad campaigns being run from their accounts. And it even exploited a vulnerability in Facebook's validation mechanisms to make it impossible for users to turn their "Login Alerts" and "Facebook Business pages" notifications back on. Facebook says it worked quickly to patch the bug and stop this novel persistence method.
In addition to all of these tricks, the attackers also used obfuscation techniques on the ad network side to mask the true content of their ads by submitting different materials and source websites for review than what they later slotted into the ads that ran.
"They used a variety of cloaking mechanisms and traffic redirection to hide their traces," said Rob Leathern, Facebook's director of product management. "These cloaking techniques are ones that camouflage the true intended landing page website by dynamically changing them during and after the ad review process so they show different sites to users than they do to our ad review process. The content of the ads often featured celebrities as a tactic to garner attention. Internally this is something we call 'celeb-bait,' and it’s an issue that has dogged the online ad industry for well over a decade."
Facebook has teams that work to catch these bait-and-switch ad operations, but Leathern says it's challenging to do so in an automated way. The SilentFade attackers also had the particular advantage of running their ads from innocent accounts that likely did not have a negative reputation or previous suspicious activity associated with them. This made it easier for the malicious ads to run undetected.
In a way it's hard to imagine that with such a clever scheme and so much account access the actors were really simply trying to sell knockoff sunglasses. Facebook can only trace the activity so far, and the researchers noted that it's not totally clear what happened to users who clicked the malicious ads. But the indicators they have support the idea that the hackers really were simply trying to monetize their scam to sell counterfeit goods. Or it's possible that the actors behind SilentFade got a commission from other vendors for helping them make sales.
Facebook says that since it patched the vulnerability SilentFade was exploiting to suppress account notifications, the platform has seen a marked drop-off in the malware's use. But the company says that variants have also been used to target other large tech platforms, including Twitter and more recently Amazon. Twitter and Amazon did not immediately respond to a request for comment.
In mid-2018, months before Facebook first detected SilentFade, researchers from the security firm Radware published findings on a different Facebook credential-harvesting campaign that Facebook now says was created by the same China-based actor. Distributed through phishing emails, this other malware, dubbed Stresspaint, came bundled with a drawing application called Relieve Stress Paint that would grab Facebook users' credentials and cookies from browsers using similar techniques to those used by SilentFade. Radware found that in less than five days the attackers had infected more than 40,000 targets. Facebook says that after Radware published its findings, the actor paused its activity for a few months, but it then resumed with SilentFade, a more sophisticated evolution that included the notification-blocking features.
"When we saw the Stresspaint malware almost two and a half years ago, we didn’t see the full picture of this group, because we couldn't see them performing all of these operations," says Adi Raff, a product manager at Radware. "But Facebook can see what they were doing on their platform. The group itself seems very sophisticated. It's been active for almost four years, and it's developed a number of different variations of malware with different capabilities. They did a lot in those four years."
Ad fraud is a problem on every platform, but it's rare to see this kind of sophisticated compromise happen on Facebook. Given the level of access the attackers were able to achieve and maintain, it's almost fortunate that they seemingly set their sights so low.
This story has been updated to include comment from Radware.