Video: James Marshall; Getty Images
Security

Meta Is Trying to Push Attackers to the Brink

The company is adding new tools as bad actors use ChatGPT-themed lures and mask their infrastructure in an attempt to trick victims and elude defenders.

The social media giant Meta warned today that malware actors are increasingly spreading their attack infrastructure across multiple platforms, presumably to make it more difficult for individual tech companies to detect their malicious activity. The company added, though, that it views the shift in tactics as a sign that industry crackdowns are working, and it says it is launching additional resources and protections for business users with the goal of raising the barriers for attackers even more.

On Facebook, Meta has now added new controls for business accounts to manage, audit, and limit who can become an account administrator, who can add other administrators, and who can perform sensitive actions like accessing a line of credit. The goal is to make it more difficult for attackers to use some of their most common tactics. For example, bad actors may take over the account of an individual who is employed by or otherwise connected to a target company, so the attacker can then add the compromised account as an administrator on the business page.

Meta is also launching a step-by-step tool for businesses to help them flag and remove malware on their enterprise devices and will even suggest using third-party malware scanners. The company says it sees a pattern in which users' Facebook accounts are compromised, the owners regain control, and then the accounts are re-compromised because the targets' devices are still infected with malware or have been reinfected.

“This is an ecosystem challenge, and there’s a lot of adversary adaptation,” says Nathaniel Gleicher, Meta’s head of security policy. “What we’re seeing is adversaries working really hard, but defenders moving more systematically. We're not just disrupting individual bad actors; there are a number of different ways that we are countering them and making it harder.”

The move to distribute malicious infrastructure across multiple platforms has advantages for attackers. They may distribute ads on a social network like Facebook that aren't directly malicious but that link to a fake creator page or other niche profile. On that site, attackers can post a special password and link to a file-sharing service like Dropbox or Mega. Then they can upload their malicious file to the hosting platform and encrypt it with the password from the previous page to make it harder for companies to scan and flag. In this way, victims follow the bread crumbs through a chain of legitimate-looking services, and no one site has a complete view of every step in the attack.

As public interest in generative AI chatbots like ChatGPT and Bard has ramped up in recent months, Meta also says it has seen attackers incorporating the topic into their malicious ads, claiming to offer access to these and other generative AI tools. Since March 2023, the company says, it has blocked more than 1,000 malicious links used in generative AI-themed lures so they can't be shared on Facebook or other Meta platforms, and it has shared the URLs with other tech companies. It has also reported multiple browser extensions and mobile apps related to these malicious campaigns.

Most Popular

Meta says the attackers who distribute a known malware strain called Ducktail have increasingly leaned on these techniques in an attempt to compromise a range of victims and take over Facebook business accounts to distribute more of their malicious ads. Meta attributes Ducktail's activity to actors in Vietnam, and the company recently issued a cease-and-desist letter to specific individuals, in addition to reporting the activity to law enforcement.

In late January, Meta also identified a new malware strain, dubbed NodeStealer, that was targeting Windows browsers to record victims' usernames and passwords, steal cookies, and use the data to compromise Facebook accounts as well as Gmail and Outlook accounts. Meta also attributes this campaign to Vietnamese actors, and it quickly began submitting takedown requests to hosting providers, domain registrars, and other application services that the actor was using for its activity and malware distribution. The company says these steps appear to have been disruptive, and it hasn't detected new samples of NodeStealer since February 27.

“What they’re counting on is that we are going to keep working in silos amongst companies and we’re not going to be able to follow them jump to jump, platform to platform,” Meta's Gleicher says. 

He adds that, in addition to adding new features for users, expanding Meta's automatic detections, and taking direct action against attackers, the company uses public disclosure and information-sharing with other companies and law enforcement as a way of making things more difficult for attackers.

“It’s easy to recognize that the more platforms need to coordinate, the more complex the defenses can be,” Gleicher says. “But the more distributed an adversary's operation is, the more they have to keep all these different platforms working together, and the number of victims who make it through that funnel is lower and lower. The more we force them to be distributed, the higher the cost on the adversary.”