Meta has released research and technical analysis identifying and detailing several malicious software families, including Ducktail, NodeStealer, and ChatGPT-themed malware, which aim to compromise business accounts and run unauthorized ads through them. These malware strains employ tactics like adapting to current trends and stealing session tokens to evade detection.
Despite their efforts to curb cyber threats, Meta allows cybercriminals to exploit its advertising platform. Meta does not mandate a manual review of each ad before publishing, thereby enabling malicious actors to create and distribute ads that can appear legitimate and target susceptible users.
Meta’s advertising policy has apparent vulnerabilities due to its relatively lax approval process, which cybercriminals manipulate by creating deceptive ads that may look like legitimate businesses or initiatives. Users clicking on these ads might be directed to websites that covertly download malware onto their systems, further perpetuating the malware campaign.
Meta has established teams dedicated to identifying, mitigating, and disrupting malware campaigns. Using various tools and methodologies, they attempt to remove malware from the platform and collaborate with law enforcement to hold cybercriminals accountable. Despite these actions, the existing ad approval methodology potentially undermines these efforts.
To guard against malware disseminated through ads on Meta platforms, users are advised to exercise caution by avoiding clicking on ads that promise unrealistic outcomes or redirect to unfamiliar websites. Using updated antivirus software and firewalls, being wary of unfamiliar software downloads, and reporting suspicious ads are recommended practices for user self-defense against potential malware threats, despite certain limitations and risks in reporting.
The paradox of Meta's anti-malware efforts amidst enabling cybercriminal exploits
Meta detects and disrupts malware campaigns and, at the same time, allows scammers to target users via ads
At a glance
While Meta, the parent company of Facebook, has efforts to detect and disrupt malware campaigns that target businesses across the internet. The social media giant also allows cybercriminals to use its platform to target users who are more likely to click an ad and download malware.
A few months back, Meta shared its threat research and technical analysis into several persistent malware families, including Ducktail, NodeStealer, and ChatGPT-themed malware.
According to Meta, these malware families aim to compromise business accounts and run unauthorized ads from them. They use various tactics to evade detection and enforcement, such as spreading across multiple internet services, adapting to hot topics and popular tools, and stealing session tokens and credentials from browsers.
Just today, I came across several Google and even Meta-themed Facebook ads with malware that will automatically download a file with .msi extension once clicked. The malware is hidden inside a .rar compressed file format several levels deep to evade detection.
Meta says the company has teams dedicated to detecting and disrupting malware campaigns. These teams use a variety of tools and techniques to identify and remove malware from Meta's platforms. Meta also works with law enforcement agencies to investigate and prosecute cybercriminals.
However, Meta also allows cybercriminals to use its platform to target users who are more likely to click on ads and download malware. Meta relies on advertisers to prove that their ads are legitimate by following its policies. This means that Meta does not manually review every ad submitted before publication. Instead, advertisers are responsible for ensuring that their ads comply with Meta's advertising policies. This approach has some advantages. It allows Meta to process ads more quickly and efficiently. It also reduces the workload on Meta's review teams.
However, this will also mean that cybercriminals can create ads that appear to be from legitimate businesses or organizations, even if they are not. These ads can then target users more likely to be interested in the advertised products or services.
For example, a cybercriminal might create an ad for a fake Google Bard software program. The ad might target users recently searching for information about Bard, Google's AI platform. When users click on the ad, they are taken to a website that downloads the malware onto their computer.
While Meta advised people to be cautious when downloading new software like browser extensions or mobile apps or downloading files across the internet, the social media giant also continues accepting paid ads or sponsored posts from cyber criminals to target those more likely to click the ads. Using the Facebook algorithm of targetting users who are more likely to engage with the ads, cybercriminals can make their jobs easier in finding victims.
Here are some tips for staying safe from malware that is spread through Meta ads:
Be wary of ads that promise unrealistic results or seem too good to be true.
Do not click on links in ads that go to unknown websites.
If you are unsure about an ad, you can report it to Meta, but be careful. I was banned for reporting malicious ads before.
Use a firewall and antivirus software to protect your computer from malware attacks. You need an updated antivirus to make your computer safe. Expired antivirus is useless, like what happened to Philhealth.
If you realize after reading this that you have downloaded malware from a Meta ad, you should immediately disconnect from the internet and scan your computer for viruses and other malicious software.