CopperStealer malware hijacks Facebook business accounts to run malicious ads

The disruption of the campaign was part of coordinated action from Facebook, Cloudflare, and other providers

Cyber criminals have launched a new campaign that uses 'CopperStealer' malware to steal Facebook passwords stored in Chrome, Edge, Yandex, Opera, and Firefox browsers.

According to a blog post by researchers at cyber security firm Proofpoint, threat actors used this unauthorized access to Facebook and Instagram business accounts to run malicious adverts for profit and to deliver additional malware in subsequent malvertising campaigns.

The disruption of the campaign was part of coordinated action from Facebook, Cloudflare, and other providers. The earliest discovered samples date back to July of 2019.

Proofpoint analysis uncovered additional CopperStealer versions that target other major service providers, including Apple, Amazon, Bing, Google, PayPal, Tumblr, and Twitter. The malware targets large tech platforms and service providers in an attempt to steal login credentials for some of the most popular services on the internet.

Researchers believe that Copperstealer is a previously undocumented family within the same class of malware as SilentFade, StressPaint, FacebookRobot, and Scranos. Facebook attributed the creation of SilentFade to Hong Kong-based ILikeAD Media International Company Ltd, and during the 2020 Virus Bulletin conference, disclosed it was responsible for over $4 million in damages.

Researchers discovered suspicious websites advertised as “KeyGen” or “Crack” sites, including keygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net, hosting samples that have delivered multiple malware families including CopperStealer.

“These sites advertise themselves to offer “cracks”, “keygen” and “serials” to circumvent licensing restrictions of legitimate software.  However, we observed these sites ultimately provide Potentially Unwanted Programs/Applications (PUP/PUA) or run other malicious executables capable of installing and downloading additional payloads,” said Proofpoint researchers.

Related Resource

Remote workforce security report

Key challenges, security threats, and investment priorities of organisations during the pandemic

remote workforce security report - whitepaper from OktaDownload now

The malware also contains the ability to find and send saved browser passwords and uses stored cookies to retrieve a User Access Token from Facebook. Once the User Access Token is gathered, the malware requests several API endpoints for Facebook and Instagram to gather additional context, including a list of friends, any advertisement accounts configured for the user, and a list of pages the user has been granted access to, according to researchers.

Sherrod DeGrippo, senior director of Threat Research and Detection at Proofpoint, said that credentials make the world go round when it comes to the current threat landscape, adding that this shows the lengths that threat actors will take to steal valuable credential data. 

“Credential stealer malware, credential phish landing pages, and cookie stealing all contribute to account compromises which can then be leveraged to impersonate and launch further attacks,” she said.

“Copperstealer is going after big service provider logins like social media and search engine accounts to spread additional malware or other attacks. These are commodities that can be sold or leveraged. Users should turn on two-factor authentication for their service providers.”

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Security best practices for PostgreSQL

Securing data with PostgreSQL

Download now

Transform your MSP business into a money-making machine

Benefits and challenges of a recurring revenue model

Download now

The care and feeding of cloud

How to support cloud infrastructure post-migration

Watch now

Recommended

YouTube growth spikes as most other social media sites stagnate
social media

YouTube growth spikes as most other social media sites stagnate

8 Apr 2021
Supreme Court justice targets social media
Policy & legislation

Supreme Court justice targets social media

6 Apr 2021
Weakness in Mamba ransomware could help recover data
ransomware

Weakness in Mamba ransomware could help recover data

26 Mar 2021
Invoice ZLoader campaign hides within encrypted Excel docs
malware

Invoice ZLoader campaign hides within encrypted Excel docs

8 Mar 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
Alienware’s new gaming laptop is a kick in the teeth for Intel’s new CEO
Hardware

Alienware’s new gaming laptop is a kick in the teeth for Intel’s new CEO

8 Apr 2021