A sophisticated malvertising campaign is tricking Facebook users into installing a fake "Meta Verified" browser extension. The ads, disguised as video tutorials, promise to give users the blue verification badge for free, but in reality, the extension is a tool to steal sensitive data.
Once installed, the malicious extension immediately begins to steal session cookies, access tokens, and IP addresses. By using legitimate hosting services like Box.com, the attackers ensure their scam appears authentic and evades many common security blocks. Analysts from Bitdefender noted that the video tutorials and code are in Vietnamese, which suggests the attackers are part of a Vietnamese-speaking threat group.
The extension is engineered to be highly effective. It uses the Facebook Graph API to identify valuable business accounts and steals every cookie from the facebook.com domain. All the stolen information is then sent to a Telegram bot controlled by the hackers. To make the data more valuable on underground forums, the malware also captures the victim's geolocation.
The attackers have automated their process, allowing them to easily create new campaign assets. The extension is also designed to be persistent and will automatically run whenever a user's browser is started. Because the malware uses legitimate domains for hosting and a streamlined script to steal data, it can bypass many common security defenses. Security professionals are advised to monitor for abnormal cookie exports and carefully vet browser extensions to protect against these types of attacks.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
