Keep an eye on your Meta Business account, these fake extensions could steal your credentials

Vietnamese-speaking hackers are using fake browser extensions to steal Facebook Business and Ads accounts
Bitdefender found two campaigns promoting a malware-laced extension called SocialMetrics Pro through deceptive ads and tutorials
The malware exfiltrates session data to Telegram bots, enabling account theft and resale for malvertising.

Vietnamese hackers are once again going after people’s Facebook Business and Ads accounts, this time through fake browser extensions.

Earlier this week, security researchers Bitdefender spotted two separate campaigns, using fake websites and malvertising to promote an extension promising the blue check badge for Facebook and Instagram accounts.

The extension is called SocialMetrics Pro, and it’s being promoted through at least 37 ads.

Selling Facebook accounts

These ads lead to websites that not just deliver the malware, but also come with a video tutorial guide that guides the victims through the process of getting verified on Facebook and Instagram.

The malware itself is hosted on Box – a legitimate cloud storage service provider.

When the malware is installed, it grabs the victim’s IP address, and Facebook session cookies, and relays them to a Telegram bot. Some variants were also seen interacting with the Facebook Graph API, pulling more information about the target accounts.

Bitdefender believes the threat actors are selling access to these accounts on underground forums for profit.

Usually, criminals use these accounts to advertise their own malicious campaigns. To distribute malware to as many people as possible, hackers sometimes try to advertise it on Facebook.

However, since Meta engages in rigorous screening, signing up and setting a malvertising campaign just like that is practically impossible. Instead, threat actors steal already verified business accounts with a clean ads record and abuse it for their attacks.

Bitdefender’s researchers believe this to be the work of a Vietnamese-speaking threat actor due to, among other things, Vietnamese language in the how-to video guides posted on the malicious sites.

“By using a trusted platform, attackers can mass-generate links, automatically embed them into tutorials, and continuously refresh their campaigns,” Bitdefender said. “This fits a larger pattern of attackers industrializing malvertising, where everything from ad images to tutorials is created en masse.”