Hunting Meta Business Managers: scammers abuse Google Ads to steal Meta accounts
Howdy guys! The speed you launch and run Meta accounts is close to the light of speed, because you know, you have to manage to catch a few trust accounts that would well-cost-run, and increase their number so as not to loss income. It is unlikely that you have time to complain about the leak of Business Manager accounts (BMA) to the US cybersecurity services. However, Morphisec analysts who are now investigating one of the schemes for stealing advertisers' BMA on Meta, and it will be useful for you to read how to secure your accounts. The company revealed the scheme of stealing accounts, let's check it.
The most awful in this scheme is the cynic method of stealing Meta accounts. Scammers use Google Ads and fake Meta profiles that disguise a link to download malicious files as ads for games, adult content, and cracked software.
Morphisec's report indicates that scammers collect sensitive information, including login data, cookies, data about ads that run from the Meta account, information about a BMA.
The scheme is quite primitive if you look closely, but unfortunately, due to vulnerabilities of Windows, it's still working. Fraudsters lure you to click on the link using Google Ads (it's strange that Google account still misses this) or Meta. The link supposedly contains a “game, movie or cracked program” Zip file, but in fact the downloaded file executes PHP scripts that steal information.
The key vulnerability problem today is the Windows OS and its background loader with the DLL library.
What is a DLL is described in "human" language in a Microsoft blog:
“On Windows operating systems, the Comdlg32 DLL performs common functions related to dialog boxes. Each program can use the functions contained in this DLL to implement the Open dialog box. This promotes code reuse and efficient memory usage.
With the help of a DLL, a program can be divided into individual components. For example, an accounting program may be sold in modules. Each module can be loaded into the main program at run time if it is installed. Since the modules are separate, the program loading time is faster.”
Infostealer malware usually consists of two parts. First, a legitimate application is launched when a user clicks on a malicious link. The application is legal, but contains a malicious dynamic link library, which the attackers use in the background download. The application in turn launches an installer that unpacks the PHP application with a set of data stealing queries.
You can protect your account by following strict precautions:
Do not download anything from unknown links;
Disable background uploads option for Windows;
Change account passwords periodically;
Do not bind personal credit cards to working BMA;
Just use MacOS, choose an affiliate program for yourself, where the draws of Apple gadgets take place.
It is worth noting that the investigation has been ongoing since 2021, and the cybersecurity group of companies is barely keeping up with the pace of the scammers. The technical engineers of Vulcan Cyber even suggested drastically banning Win background uploads, but the company rejected this proposal, because then the speed of the already slow operating system would suffer. While the investigation is ongoing and there is no ready-made solution, you need to take care of the security of your data yourself. So be careful with your accounts and do not be lazy to double-check your data once again.
