Fake profiles on Facebook offer to view a file containing sexy photos of women. But, this file also contains malware to steal usernames and passwords.

What ruin the dream of some. A multitude of fake accounts of women in sensual outfits on Facebook have been created to steal credentials, reveals research from cloud security company Zscaler, published on January 20, 2023. These profiles contact their victims on Facebook by offering to consult a file containing sexy photos. Once downloaded, the album in question contains the promised shots, but also malware to steal usernames and passwords. Generally, hackers offer a folder to recover from a Microsoft OneDrive account or from a fraudulent link.

The malware in question here is an info stealer, programmed to search through files and recover specific files: cookies, identification data.

A photo album containing the malware, uploaded to a Microsoft OneDrive account. // Source: ZScaler

For this, the software focuses on browsers such as Chrome, Firefox, Microsoft Edge or Brave. “Album Stealer” — the name given to the malware by Zscaler — targets Local State, Login Data and Cookies files. The Local State location contains keys needed to decrypt web browser data. The program starts by reading the file and recovering the necessary parameters to go further in the infection. File targeting functions allow you to quickly find interesting data and exfiltrate it on external servers. This whole process is carried out discreetly without the knowledge of the victim.

Phishing campaigns from Vietnam

The hackers behind this campaign are Vietnamese, according to the clues spotted by Zscaler. For example, a request to a server received a response in Vietnamese: ” Successful status update “.

The status update is in Vietnamese language.  // Source: Zscaler
The status update is in Vietnamese language. // Source: Zscaler

This campaign is very similar to another phishing operation named “Ducktail” and carried out by Vietnamese pirates. In August, company employees were tricked from links sent on Facebook and WhatsApp. The criminals were looking to steal credentials from legitimate Facebook Ads accounts to turn them into a scam page. WithSecure, the company behind the research, had estimated that the losses for the victim companies could amount to 600,000 euros.

For further

Skimmers are well known data theft software.  // Source: Midjourney / Numerama


Build the future of Numerama with us by answering these questions!

California18

Welcome to California18, your number one source for Breaking News from the World. We’re dedicated to giving you the very best of News.

Leave a Reply