Malvertising Appears In Promoted Tweet To Steal Facebook Logins

Rogue advert on Twitter aims to infect and then steal a user’s Facebook credentials, Proofpoint warns

Security researchers at Proofpoint have uncovered a malicious Twitter advert that aims to steal users Facebook credentials.

So-called malvertising (where malicious software is inserted in online advertising in order to infect users) has been difficult to detect on social networks before this, but Proofpoint found an example that starts when a promoted Twittercard with a fake video is posted on user’s Twitter feed.

Promoted Tweet

For those that don’t know, Twittercards allow for the attachment of photos, videos and media to Tweets in order to drive traffic to a website.

“Proofpoint researchers recently detected and analysed a case of Twitter malvertising,” said the firm in a blog posting. “The attack combines malicious ads, fake social media pages, and malicious apps to lead from a single promoted ad to infection and theft of the user’s Facebook credentials.”

Julien Tromeur - Twitter SorryThe attack begins when a promoted Twittercard with a fake video posted on user’s Twitter feed,” it said. “If the user clicks on the Twittercard, it opens a fake Facebook page for another user account. If the user is using a browser other than Google Chrome for desktops, clicking the Twittercard will open a nonexistent video on YouTube if the client IP address is known; or a fake (scam) adult social network if the client IP address is unknown.”

If the user clicks anywhere on the the fake Facebook page, they are prompted to install the “Mapi Geni” app to enable viewing of video content. If the user tries to cancel the app install, an “error” message pops up and the only way out is to leave the page or close the tab.

If the user is unlucky enough to have installed the Mapi Geni app, it redirects the user from the fake Facebook page to the authentic Facebook login page. “When the user logs in (now or later, as long as the app is installed) a webinject loaded remotely will send credentials in parallel to a remote server.”

“If the malicious app has been installed, users need to remove the extension and change their Facebook password immediately,” said Proofpoint. It also said the user will have no idea their logins have been hacked.

What makes this attack so nasty is the fact the malvertising comes in a Promoted Tweet, and is therefore (wrongly) assumed by users to be legitimate and therefore ‘safe’. Another concern is the app is an extension available from the official Chrome Webstore (so appearing as “verified”).

Twitter had no comment to make when it was approached by TechWeekEurope. It did point out item 3 of its Ad Policy principles however.

“‘Don’t distribute spam, harmful code, or other disruptive content’ is one of the items we prohibit on the ads platform,” it says.

The attack is targeting parts of Europe and the Middle East, and while Proofpoint says that while the immediate goal is to steal the Facebook credentials, the fact that the webinject is downloaded from a remote server means that it could be changed at any time to perform other actions.

Proofpoint urged users to be wary of promoted content in their social media feeds and exercise extreme caution when prompted to install new or unknown apps in order to view online content.

Malvertising Attacks

Earlier this week, Malwarebytes warned about another malvertising attack that targeted some of the Internet’s most popular porn websites, including PornHub, YouPorn and Xhamster.

Other recent malvertising attacks have affected users of dating websites and even Forbes.com, leading many to question the safety of online advertising – especially those running Flash.

Earlier in the year, Facebook signed a new partnership deal to tackle malvertising on its site.

What do you know about Internet security? Find out with our quiz!