A recent series of online attacks have been discovered, wherein fake browser extensions such as Madgicx Plus and SocialMetrics are being used to hijack Meta (Facebook and Instagram) Business accounts. These malicious tools are promoted using deceptive ads and websites, targeting business users and advertisers to steal sensitive information and tokens.

Key Takeaways

• Fake browser extensions are being distributed through misleading ads and counterfeit websites.

• The primary targets are Meta Business and advertising accounts, which can lead to significant financial and reputational losses.

• The attacks appear industrialized, with mass-generated materials and content mostly in Vietnamese, hinting at the possible origin of the threat actors.

• These extensions misuse API access and session cookies to take over accounts and steal credentials.

How the Attack Works

The threat actors employ a dual-pronged approach:

1. Malvertising & Deceptive Webpages: Victims are lured to websites offering add-ons falsely claiming to unlock enhanced features for Meta platforms, such as blue check verification badges or AI-based advertising optimization.

2. Installation & Hijack: Once installed, these extensions can:Harvest session cookies and credentials from logged-in Facebook and Google accounts.Send stolen data to attacker-controlled channels, often via Telegram bots.Interact with APIs (like the Facebook Graph API) to further mine account details or budget data.

Specific Threats Identified

Campaigns have been observed distributing multiple variants of these malicious tools:

Industrialized Malvertising

Security researchers note that attackers are increasingly industrializing the distribution of fake extensions. Elements such as advertisements, video tutorials, and even source code comments are localized in Vietnamese. This industrialization allows for:

• Mass generation of malicious content.

• Rapid refresh and redeployment of campaigns.

• Greater scalability, increasing the number of potential victims.

Impact and Next Steps for Businesses

Once a business account is compromised:

• Attackers can steal advertising budgets and sensitive business information.

• Stolen accounts are often sold in underground forums or used to launch subsequent malvertising schemes, perpetuating the threat.

Security Recommendations:

• Only install browser extensions from official, verified sources.

• Be wary of ads or online resources promising free perks related to social media accounts.

• Regularly review and update account security settings.

• Monitor account activity for unauthorized access or new browser extensions.

The ongoing evolution of these threats highlights the importance of vigilance among business users, particularly those managing social media advertising operations. As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.