Security researchers at Proofpoint have uncovered a malicious Twitter advert that aims to steal users Facebook credentials.
So-called malvertising (where malicious software is inserted in online advertising in order to infect users) has been difficult to detect on social networks before this, but Proofpoint found an example that starts when a promoted Twittercard with a fake video is posted on user’s Twitter feed.
For those that don’t know, Twittercards allow for the attachment of photos, videos and media to Tweets in order to drive traffic to a website.
“Proofpoint researchers recently detected and analysed a case of Twitter malvertising,” said the firm in a blog posting. “The attack combines malicious ads, fake social media pages, and malicious apps to lead from a single promoted ad to infection and theft of the user’s Facebook credentials.”
If the user clicks anywhere on the the fake Facebook page, they are prompted to install the “Mapi Geni” app to enable viewing of video content. If the user tries to cancel the app install, an “error” message pops up and the only way out is to leave the page or close the tab.
If the user is unlucky enough to have installed the Mapi Geni app, it redirects the user from the fake Facebook page to the authentic Facebook login page. “When the user logs in (now or later, as long as the app is installed) a webinject loaded remotely will send credentials in parallel to a remote server.”
“If the malicious app has been installed, users need to remove the extension and change their Facebook password immediately,” said Proofpoint. It also said the user will have no idea their logins have been hacked.
What makes this attack so nasty is the fact the malvertising comes in a Promoted Tweet, and is therefore (wrongly) assumed by users to be legitimate and therefore ‘safe’. Another concern is the app is an extension available from the official Chrome Webstore (so appearing as “verified”).
Twitter had no comment to make when it was approached by TechWeekEurope. It did point out item 3 of its Ad Policy principles however.
“‘Don’t distribute spam, harmful code, or other disruptive content’ is one of the items we prohibit on the ads platform,” it says.
The attack is targeting parts of Europe and the Middle East, and while Proofpoint says that while the immediate goal is to steal the Facebook credentials, the fact that the webinject is downloaded from a remote server means that it could be changed at any time to perform other actions.
Proofpoint urged users to be wary of promoted content in their social media feeds and exercise extreme caution when prompted to install new or unknown apps in order to view online content.
Earlier this week, Malwarebytes warned about another malvertising attack that targeted some of the Internet’s most popular porn websites, including PornHub, YouPorn and Xhamster.
Other recent malvertising attacks have affected users of dating websites and even Forbes.com, leading many to question the safety of online advertising – especially those running Flash.
Earlier in the year, Facebook signed a new partnership deal to tackle malvertising on its site.
What do you know about Internet security? Find out with our quiz!
Seemingly accidental leak reveals Google is developing Jarvis AI extension that can browse the web…
Amazon is reportedly in talks to pump billions of dollars more into AI start-up Anthropic,…
Star witness for the US prosecution of FTX founder Sam Bankman-Fried, has begun her two…
After axing 31 percent of its workforce when it failed to be acquired by Amazon,…
Mozilla Foundation axes 30 percent of its staff, and is eliminating its Advocacy Division that…
Improving security. Mandatory multi-factor authentication (MFA) is coming to the Google Cloud by the end…