For those of you who are on Facebook, beware of a new malvertising ad campaign identified by Bitdefender analysis. The campaign “coerces unsuspecting users into installing a fake ‘Meta Verified’ browser extension” that includes video tutorials designed to “harvest sensitive user data, including session cookies, access tokens and IP addresses.” If victims follow the tutorial, they are told to click on an ad link that then allows the threat actors to install an extension that allows them “to read and export cookies from the facebook.com domain.”

The attackers evade security measures, including URL blocking, and leverage trusted platforms like Box.com to host the campaign. Once the threat actors, believed to be from Vietnam, obtain valid access tokens, they use “Facebook Graph API to query Business account information…allowing attackers to distinguish high-value corporate profiles from personal accounts.” 

The threat actors “streamlined approach bypasses many endpoint-based detections, while the use of legitimate domains for hosting and command-and-control reduces the likelihood of rapid takedown.” It is recommended that “security teams should monitor abnormal cookie export activity and enforce rigorous extension vetting to defends against such industrialized malvertising threats.”