CopperStealer malware hijacks Facebook business accounts to run malicious ads

The disruption of the campaign was part of coordinated action from Facebook, Cloudflare, and other providers

Cyber criminals have launched a new campaign that uses 'CopperStealer' malware to steal Facebook passwords stored in Chrome, Edge, Yandex, Opera, and Firefox browsers.

According to a blog post by researchers at cyber security firm Proofpoint, threat actors used this unauthorized access to Facebook and Instagram business accounts to run malicious adverts for profit and to deliver additional malware in subsequent malvertising campaigns.

The disruption of the campaign was part of coordinated action from Facebook, Cloudflare, and other providers. The earliest discovered samples date back to July of 2019.

Proofpoint analysis uncovered additional CopperStealer versions that target other major service providers, including Apple, Amazon, Bing, Google, PayPal, Tumblr, and Twitter. The malware targets large tech platforms and service providers in an attempt to steal login credentials for some of the most popular services on the internet.

Researchers believe that Copperstealer is a previously undocumented family within the same class of malware as SilentFade, StressPaint, FacebookRobot, and Scranos. Facebook attributed the creation of SilentFade to Hong Kong-based ILikeAD Media International Company Ltd, and during the 2020 Virus Bulletin conference, disclosed it was responsible for over $4 million in damages.

Researchers discovered suspicious websites advertised as “KeyGen” or “Crack” sites, including keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net, hosting samples that have delivered multiple malware families including CopperStealer.

“These sites advertise themselves to offer “cracks”, “keygen” and “serials” to circumvent licensing restrictions of legitimate software.  However, we observed these sites ultimately provide Potentially Unwanted Programs/Applications (PUP/PUA) or run other malicious executables capable of installing and downloading additional payloads,” said Proofpoint researchers.

Related Resource

Remote workforce security report

Key challenges, security threats, and investment priorities of organisations during the pandemic

remote workforce security report - whitepaper from OktaDownload now

The malware also contains the ability to find and send saved browser passwords and uses stored cookies to retrieve a User Access Token from Facebook. Once the User Access Token is gathered, the malware requests several API endpoints for Facebook and Instagram to gather additional context, including a list of friends, any advertisement accounts configured for the user, and a list of pages the user has been granted access to, according to researchers.

Sherrod DeGrippo, senior director of Threat Research and Detection at Proofpoint, said that credentials make the world go round when it comes to the current threat landscape, adding that this shows the lengths that threat actors will take to steal valuable credential data. 

“Credential stealer malware, credential phish landing pages, and cookie stealing all contribute to account compromises which can then be leveraged to impersonate and launch further attacks,” she said.

“Copperstealer is going after big service provider logins like social media and search engine accounts to spread additional malware or other attacks. These are commodities that can be sold or leveraged. Users should turn on two-factor authentication for their service providers.”

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

YouTube growth spikes as most other social media sites stagnate
social media

YouTube growth spikes as most other social media sites stagnate

8 Apr 2021
Supreme Court justice targets social media
Policy & legislation

Supreme Court justice targets social media

6 Apr 2021
Weakness in Mamba ransomware could help recover data
ransomware

Weakness in Mamba ransomware could help recover data

26 Mar 2021
Invoice ZLoader campaign hides within encrypted Excel docs
malware

Invoice ZLoader campaign hides within encrypted Excel docs

8 Mar 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021