Malicious Chrome Extension Steals Businesses Ads Manager Login Details

Cybercriminals are using malicious Chrome extensions to steal Facebook login information in a recent operation.

The reports shared by Malwarebytes Labs also stated that sponsored posts and accounts impersonating Meta/Facebook’s Ads Manager have become more prevalent.

With a focus on Facebook advertising accounts, threat actors like DuckTail, which have been active for a while, have been watched and investigated by Meta.

“In total, we identified over 20 different malicious Facebook Ad Manager archives that installed Chrome extensions or instead went with traditional malware executables”, Malwarebytes reports.

Over 800 victims have been reported globally, including 310 in the US.

Malicious Chrome Extension

Researchers explain that once the MSI installer is finished, the batch script is run, and it effectively creates a new browser window that is started with the custom extension from the previous installation path and directs the victim to the Facebook login page.

“Malicious Google Chrome extensions are used to steal and extract login information,” researchers said.

“That custom extension is cleverly disguised as Google Translate and is considered ‘Unpacked’ because it was loaded from the local computer, rather than the Chrome Web Store,” researchers explain.

In reality, the code is wholly targeted at Facebook and obtaining crucial data bits enabling an attacker to log into accounts.

The threat actors’ interest in Facebook cookies, which they seek through cookies.getAll technique.

Fake Ads Manager Accounts

Scammers used verified accounts to purchase advertising from Meta. To handle their advertising with a “more professional and secure tool,” they were attempting to persuade potential victims to download software.

“These fraudulent accounts often have tens of thousands of followers and any of their posts can quickly become viral.

Scammers are primarily targeting business users who may spend ad dollars on the platform”, researchers said.

The initial step in compromising those accounts is to drive potential victims to external websites.

The Facebook Ads Manager program, promoted via a download link, serves as the lure.

Final Thoughts

Businesses may be enticed to optimize their Facebook ad campaigns by clicking on specific postings and installing programs that claim to boost their revenue.

This is an extremely risky practice, even if the instructions promise that the program is secure and malware-free.

As a result, if you downloaded one of those malicious Facebook Ad Manager installers, you should withdraw access to unfamiliar users from their Business Manager account profile that the fraudsters may have created and analyze their transaction history.