Don't click - Facebook users are being targeted with some very NSFW malware attacks

Facebook Ads
(Image credit: Will Francis / Unsplash)

Hackers are using the promise of adult content on social media to drop infostealing malware onto unsuspecting victims. 

This is according to a new report from Bitdefender, whose researchers recently discovered and analyzed a major operation on Facebook. The goal of the campaign is to steal sensitive personal information, as well as payment and cryptocurrency data. 

The researchers estimate roughly 100,000 potential downloads of the malware from the Ad reach analysis, with the target cohort mainly males who are 45 years of age or older.

Enter NodeStealer

Here’s how it works: the attackers create fake Facebook profiles and name them “Album Update”, “Album Girl News Update”, or similar. Then, they post a single blurred photo of a naked woman.

Then they use previously compromised Facebook Business accounts (those with the ability to run Facebook Ad campaigns) to run ad campaigns, promoting those profiles and claiming that new, fully-visible photos, will be uploaded soon. The message also tries to create a sense of urgency, by stating that the pics will probably be deleted soon after being posted.

The gullible victims that end up clicking on the link won’t get the pics, but will rather get an executable file called Photo Album.exe. That file will drop a new version of NodeStealer, a known infostealer malware. 

Earlier versions were designed primarily to steal cookie sessions from web browsers and use them to access people’s Facebook accounts. This new version also grants access to email platforms such as Gmail or Outlook, as well as allowing attackers to steal cryptocurrencies from people’s wallets. 

The campaign also seems to be quite successful, as a single ad generated as much as 15,000 downloads in the first 24 hours.

If you’re wondering why Facebook doesn’t just remove these ads - it’s probably trying to. However, the attackers are using a maximum of five active ads at a time, and switch between them at a 24-hour interval, thus minimizing the chances of being reported by users.

The best advice to stay safe from these and similar threats is to use common sense when surfing; if something seems like a scam, then it probably is.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.