How a botnet of Facebook Messenger users phished for business accounts.
By Tim Nodar, CyberWire senior staff writer
Sep 12, 2023

Bots for business compromise.

How a botnet of Facebook Messenger users phished for business accounts.

Guardio Labs is tracking a widespread phishing campaign that’s targeted millions of business accounts on Facebook Messenger, compromising about 1 in 70 of the targeted accounts. The campaign uses phony business inquiries to distribute “a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a multi-stage process full of simple yet effective obfuscation methods.”

The threat actor behind the campaign appears to be a cybercriminal group based in Vietnam. The researchers note, “The threat actors hold an army of bots and fake Facebook accounts as well as a listing of millions of business accounts, pages, and managers — sending away over +100k phishing messages a week to Facebook users around the world.”

It’s a big botnet, but the technique isn’t novel.

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, wrote to say that the technique is old news. “These sorts of large attacks have been common for decades. I don't see anything in this attack that hasn't been done for decades. Perhaps that should be the scary part of the lesson?” 

He explained that there’s been a lot of investment in countering this kind of attack. “Large social media companies (e.g., Facebook, Google, Microsoft, etc.) have been spending many tens of millions of dollars each year trying to stop these sorts of attacks. They start by trying to deny attackers access to legitimate accounts, starting with trying to deny attackers the ability to create brand new accounts.” 

Attack automation has complicated the defenders’ task. “It's very tough. The bad guys automate getting new accounts, using humans where needed, to answer CAPTCHAs. Whatever the good side comes up with to stop or slow down the attackers, the attackers will just try to move around it and automate. None of the vendors share the number of fraudulent accounts added and removed every day, but it's thought to be in the hundreds of thousands to millions each day.” And, he observed, this is one case in which the old saw about the attacker’s advantage does seem to hold true. “The legitimate vendors put down a huge percentage of fake accounts, but even if only a small percentage gets through, that's plenty of fake accounts to cause damage. And that doesn't count the number of legitimate customer accounts that were compromised by the bad guys using some sort of password attack or using password-stealing trojans like those covered in the article. A year or two ago, Microsoft revealed that 1 in every 160 of their customer email accounts are compromised each month despite their best efforts to the contrary. I don't think most of the world understands just how bad the problems are at the scales that the biggest vendors are fighting them.”