Researchers have exposed a network of Facebook accounts used to push malware and viruses to hundreds of thousands of users over the course of five years.
Ars Technica reports that according to a post published this week by security firm Check Point, hackers have operated a network of Libya-themed news accounts across Facebook which were used to push malware and viruses to tens of thousands of people over the last five years. Researchers first noticed the accounts when they were discovered to be impersonating Field Marshal Khalifa Haftar, the commander of Libya’s National Army.
The fake account boasted more than 11,000 followers and claimed to be publishing documents that revealed a conspiracy against Libya by Qatar and Turkey. Other posts advertised mobile apps that users could use to join the country’s army. These apps really redirected users to VBScripts, Windows Script Files, and Android apps that contained malicious malware.
The posts from the fake Haftar account featured multiple misspellings, typos, and grammatical errors which hinted to Check Point that the content of the pages was generated by an Arabic speaker since translation engines that would automatically convert the text from another language would not be likely to introduce the errors observed by researchers.
The researchers discovered 30 Facebook pages, with some active since early 2014, spreading malicious links across the platform. The top five most popular pages were followed by more than 422,000 other Facebook users. The research firm found that just one link posted by the fake pages received 6,500 clicks, with 5,120 of them coming from Libya.
Researchers discovered another account by the name “Dexter Ly” which made similar typos to the ones found on the other pages. This account openly shared details about the malware campaign and even included screenshots showing the number of devices infected with viruses. The account also appeared to publish sensitive information that seems to have been taken from infected targets, including personal documents of Libyan government officials such as passports, emails, and phone numbers.
“These Pages and accounts violated our policies and we took them down after Check Point reported them to us,” Facebook officials said in a statement. “We are continuing to invest heavily in technology to keep malicious activity off Facebook, and we encourage people to remain vigilant about clicking on suspicious links or downloading untrusted software.”
Check Point researchers commented on the network stating “Although the set of tools which the attacker utilized is not advanced nor impressive per se, the use of tailored content, legitimate websites and highly active pages with many followers made it much easier to potentially infect thousands of victims. The sensitive material shared in the ‘Dexter Ly’ profile implies that the attacker has managed to infect high profile officials as well.”