Malvertising Appears In Promoted Tweet To Steal Facebook Logins

Security researchers at Proofpoint have uncovered a malicious Twitter advert that aims to steal users Facebook credentials.

So-called malvertising (where malicious software is inserted in online advertising in order to infect users) has been difficult to detect on social networks before this, but Proofpoint found an example that starts when a promoted Twittercard with a fake video is posted on user’s Twitter feed.

Promoted Tweet

For those that don’t know, Twittercards allow for the attachment of photos, videos and media to Tweets in order to drive traffic to a website.

“Proofpoint researchers recently detected and analysed a case of Twitter malvertising,” said the firm in a blog posting. “The attack combines malicious ads, fake social media pages, and malicious apps to lead from a single promoted ad to infection and theft of the user’s Facebook credentials.”

The attack begins when a promoted Twittercard with a fake video posted on user’s Twitter feed,” it said. “If the user clicks on the Twittercard, it opens a fake Facebook page for another user account. If the user is using a browser other than Google Chrome for desktops, clicking the Twittercard will open a nonexistent video on YouTube if the client IP address is known; or a fake (scam) adult social network if the client IP address is unknown.”

If the user clicks anywhere on the the fake Facebook page, they are prompted to install the “Mapi Geni” app to enable viewing of video content. If the user tries to cancel the app install, an “error” message pops up and the only way out is to leave the page or close the tab.

If the user is unlucky enough to have installed the Mapi Geni app, it redirects the user from the fake Facebook page to the authentic Facebook login page. “When the user logs in (now or later, as long as the app is installed) a webinject loaded remotely will send credentials in parallel to a remote server.”

“If the malicious app has been installed, users need to remove the extension and change their Facebook password immediately,” said Proofpoint. It also said the user will have no idea their logins have been hacked.

What makes this attack so nasty is the fact the malvertising comes in a Promoted Tweet, and is therefore (wrongly) assumed by users to be legitimate and therefore ‘safe’. Another concern is the app is an extension available from the official Chrome Webstore (so appearing as “verified”).

Twitter had no comment to make when it was approached by TechWeekEurope. It did point out item 3 of its Ad Policy principles however.

“‘Don’t distribute spam, harmful code, or other disruptive content’ is one of the items we prohibit on the ads platform,” it says.

The attack is targeting parts of Europe and the Middle East, and while Proofpoint says that while the immediate goal is to steal the Facebook credentials, the fact that the webinject is downloaded from a remote server means that it could be changed at any time to perform other actions.

Proofpoint urged users to be wary of promoted content in their social media feeds and exercise extreme caution when prompted to install new or unknown apps in order to view online content.

Malvertising Attacks

Earlier this week, Malwarebytes warned about another malvertising attack that targeted some of the Internet’s most popular porn websites, including PornHub, YouPorn and Xhamster.

Other recent malvertising attacks have affected users of dating websites and even Forbes.com, leading many to question the safety of online advertising – especially those running Flash.

Earlier in the year, Facebook signed a new partnership deal to tackle malvertising on its site.

What do you know about Internet security? Find out with our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Google Jarvis AI Extension Leaked On Chrome Store

Seemingly accidental leak reveals Google is developing Jarvis AI extension that can browse the web…

1 day ago

Amazon Mulls New Multi-Billion Dollar Investment In Anthropic – Report

Amazon is reportedly in talks to pump billions of dollars more into AI start-up Anthropic,…

1 day ago

FTX’s Caroline Ellison Begins Her Two Year Prison Sentence

Star witness for the US prosecution of FTX founder Sam Bankman-Fried, has begun her two…

1 day ago

More Layoffs For iRobot Staff After Abandoned Amazon Deal

After axing 31 percent of its workforce when it failed to be acquired by Amazon,…

2 days ago

Mozilla Foundation Confirms Layoffs, Eliminates Advocacy Division

Mozilla Foundation axes 30 percent of its staff, and is eliminating its Advocacy Division that…

2 days ago

Google To Make MFA Mandatory Next Year

Improving security. Mandatory multi-factor authentication (MFA) is coming to the Google Cloud by the end…

2 days ago