Facebook Messenger Phishing Attack: How attackers hijack user accounts
A new phishing effort is exploiting Facebook Messenger to spread messages with malicious attachments from a “swarm of fake and hijacked personal accounts” with the ultimate goal of gaining control of the targets’ accounts.
“Originating yet again from a Vietnamese-based group, this campaign uses a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a multi-stage process full of simple yet effective obfuscation methods,” Guardio Labs researcher Oleg Zaytsev wrote in a weekend analysis.
Potential victims are emailed messages that persuade them to click on the RAR and ZIP archive attachments, resulting in the deployment of a dropper that retrieves the next stage from a GitHub or GitLab repository.
This payload is another archive file containing a CMD file, which contains an obfuscated Python-based stealer designed to exfiltrate all cookies and login credentials from various web browsers to an actor-controlled Telegram or Discord API endpoint.
The adversary’s smart method involves deleting all cookies after stealing them, thus logging victims out of their own accounts, at which time the scammers hijack their sessions reset their passwords, and grab control of them.
The existence of Vietnamese language references in the Python stealer’s source code, as well as the inclusion of Cc Cc, a Chromium-based browser popular in the nation, point to the threat actor’s ties to Vietnam.
Despite the fact that activating the infection needs user involvement to download a file, unzip, and execute the attachment, Guardio Labs discovered that the campaign has had a high success rate, with 1 out of 250 victims infected in the last 30 days alone.
The majority of the agreements have been reported in the United States, Australia, Canada, France, Germany, Indonesia, Japan, Nepal, Spain, the Philippines, and Vietnam, among other places.
Also Read: Apple Emergency Updates: Defend Yourself Against Pegasus Spyware Exploits
Beware: Malicious Telegram Variants on Google Play