Malvertising Appears In Promoted Tweet To Steal Facebook Logins

Security researchers at Proofpoint have uncovered a malicious Twitter advert that aims to steal users Facebook credentials.

So-called malvertising (where malicious software is inserted in online advertising in order to infect users) has been difficult to detect on social networks before this, but Proofpoint found an example that starts when a promoted Twittercard with a fake video is posted on user’s Twitter feed.

Promoted Tweet

For those that don’t know, Twittercards allow for the attachment of photos, videos and media to Tweets in order to drive traffic to a website.

“Proofpoint researchers recently detected and analysed a case of Twitter malvertising,” said the firm in a blog posting. “The attack combines malicious ads, fake social media pages, and malicious apps to lead from a single promoted ad to infection and theft of the user’s Facebook credentials.”

The attack begins when a promoted Twittercard with a fake video posted on user’s Twitter feed,” it said. “If the user clicks on the Twittercard, it opens a fake Facebook page for another user account. If the user is using a browser other than Google Chrome for desktops, clicking the Twittercard will open a nonexistent video on YouTube if the client IP address is known; or a fake (scam) adult social network if the client IP address is unknown.”

If the user clicks anywhere on the the fake Facebook page, they are prompted to install the “Mapi Geni” app to enable viewing of video content. If the user tries to cancel the app install, an “error” message pops up and the only way out is to leave the page or close the tab.

If the user is unlucky enough to have installed the Mapi Geni app, it redirects the user from the fake Facebook page to the authentic Facebook login page. “When the user logs in (now or later, as long as the app is installed) a webinject loaded remotely will send credentials in parallel to a remote server.”

“If the malicious app has been installed, users need to remove the extension and change their Facebook password immediately,” said Proofpoint. It also said the user will have no idea their logins have been hacked.

What makes this attack so nasty is the fact the malvertising comes in a Promoted Tweet, and is therefore (wrongly) assumed by users to be legitimate and therefore ‘safe’. Another concern is the app is an extension available from the official Chrome Webstore (so appearing as “verified”).

Twitter had no comment to make when it was approached by TechWeekEurope. It did point out item 3 of its Ad Policy principles however.

“‘Don’t distribute spam, harmful code, or other disruptive content’ is one of the items we prohibit on the ads platform,” it says.

The attack is targeting parts of Europe and the Middle East, and while Proofpoint says that while the immediate goal is to steal the Facebook credentials, the fact that the webinject is downloaded from a remote server means that it could be changed at any time to perform other actions.

Proofpoint urged users to be wary of promoted content in their social media feeds and exercise extreme caution when prompted to install new or unknown apps in order to view online content.

Malvertising Attacks

Earlier this week, Malwarebytes warned about another malvertising attack that targeted some of the Internet’s most popular porn websites, including PornHub, YouPorn and Xhamster.

Other recent malvertising attacks have affected users of dating websites and even Forbes.com, leading many to question the safety of online advertising – especially those running Flash.

Earlier in the year, Facebook signed a new partnership deal to tackle malvertising on its site.

What do you know about Internet security? Find out with our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago