Malvertising Appears In Promoted Tweet To Steal Facebook Logins

Security researchers at Proofpoint have uncovered a malicious Twitter advert that aims to steal users Facebook credentials.

So-called malvertising (where malicious software is inserted in online advertising in order to infect users) has been difficult to detect on social networks before this, but Proofpoint found an example that starts when a promoted Twittercard with a fake video is posted on user’s Twitter feed.

Promoted Tweet

For those that don’t know, Twittercards allow for the attachment of photos, videos and media to Tweets in order to drive traffic to a website.

“Proofpoint researchers recently detected and analysed a case of Twitter malvertising,” said the firm in a blog posting. “The attack combines malicious ads, fake social media pages, and malicious apps to lead from a single promoted ad to infection and theft of the user’s Facebook credentials.”

The attack begins when a promoted Twittercard with a fake video posted on user’s Twitter feed,” it said. “If the user clicks on the Twittercard, it opens a fake Facebook page for another user account. If the user is using a browser other than Google Chrome for desktops, clicking the Twittercard will open a nonexistent video on YouTube if the client IP address is known; or a fake (scam) adult social network if the client IP address is unknown.”

If the user clicks anywhere on the the fake Facebook page, they are prompted to install the “Mapi Geni” app to enable viewing of video content. If the user tries to cancel the app install, an “error” message pops up and the only way out is to leave the page or close the tab.

If the user is unlucky enough to have installed the Mapi Geni app, it redirects the user from the fake Facebook page to the authentic Facebook login page. “When the user logs in (now or later, as long as the app is installed) a webinject loaded remotely will send credentials in parallel to a remote server.”

“If the malicious app has been installed, users need to remove the extension and change their Facebook password immediately,” said Proofpoint. It also said the user will have no idea their logins have been hacked.

What makes this attack so nasty is the fact the malvertising comes in a Promoted Tweet, and is therefore (wrongly) assumed by users to be legitimate and therefore ‘safe’. Another concern is the app is an extension available from the official Chrome Webstore (so appearing as “verified”).

Twitter had no comment to make when it was approached by TechWeekEurope. It did point out item 3 of its Ad Policy principles however.

“‘Don’t distribute spam, harmful code, or other disruptive content’ is one of the items we prohibit on the ads platform,” it says.

The attack is targeting parts of Europe and the Middle East, and while Proofpoint says that while the immediate goal is to steal the Facebook credentials, the fact that the webinject is downloaded from a remote server means that it could be changed at any time to perform other actions.

Proofpoint urged users to be wary of promoted content in their social media feeds and exercise extreme caution when prompted to install new or unknown apps in order to view online content.

Malvertising Attacks

Earlier this week, Malwarebytes warned about another malvertising attack that targeted some of the Internet’s most popular porn websites, including PornHub, YouPorn and Xhamster.

Other recent malvertising attacks have affected users of dating websites and even Forbes.com, leading many to question the safety of online advertising – especially those running Flash.

Earlier in the year, Facebook signed a new partnership deal to tackle malvertising on its site.

What do you know about Internet security? Find out with our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Is the Digital Transformation of Businesses Complete?

Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…

7 hours ago

Craig Wright Faces Contempt Claim Over Bitcoin Lawsuit

Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…

7 hours ago

OpenAI Adds ChatGPT Search Features

OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…

8 hours ago

Google Maps Steers Into Local Information With AI Chat

New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…

8 hours ago

Huawei Sees Sales Surge, But Profits Fall

US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…

9 hours ago

Apple Posts China Sales Decline, Ramping Pressure On AI Strategy

Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…

9 hours ago