The hackers using a powerful tool that Facebook calls SilentFade hid themselves from their victims. But they couldn't hide their activity from Facebook, at least not forever. The company noticed in 2018 that someone was turning off almost all notifications on certain user accounts by exploiting a weakness in the social network's code.
The company's malware researchers followed that first clue and found a complex hacking campaign that let attackers place scammy ads using compromised Facebook and Instagram accounts. In technical details released Thursday, Facebook detailed how attackers carried out the campaign. Since Facebook fixed the bug that let attackers turn off notifications, SilentFade is no longer in use on the company's platforms. But Facebook cybersecurity experts said the company expects similar campaigns to become even more popular with hackers on all social media platforms.
The research found variants of the malware included tools for stealing credentials or session cookies for Facebook, Instagram, Twitter and Amazon. (Twitter and Amazon didn't immediately respond to requests for comment.)
Nathaniel Gleicher, Facebook's head of cybersecurity policy, said in a press briefing Thursday that he wants to see more collaboration between antivirus makers and social media platforms. Each has information the other needs to stop this kind of hacking campaign. Social media companies can see unusual account activity on its own platforms, and antivirus companies can see infections spreading on users' devices.
Sharing information would help tamp down the problem faster, Gleicher said. "It would be a strong move in the right direction," he added.
Facebook first went public about the hacking campaign in December,based in Hong Kong and two Chinese nationals for creating the malware behind the attacks. At the time, the company said the campaign compromised hundreds of thousands of accounts, and the company reimbursed more than $4 million in ad payments to users. The company and two individuals couldn't be reached for comment.
In the paper released Thursday, Facebook said it found that hackers compromised their victims by tricking them into installing SilentFade onto their devices. From there, hackers either stole the victims' Facebook or Instagram passwords or the session cookies that kept users logged into their accounts even when they closed their browsers. On accounts where users had stored a payment method for ads, the attackers used their access to place ads for handbags, sunglasses and diet pills.
In a further level of deception, the hackers used a technique called "cloaking" to hide the true content of the links they were including in the ads.
Rob Leathern, Facebook's business integrity head, said the hackers were looking for ways to make money off their access to Facebook and Instagram accounts. They were either earning commissions through ad affiliate networks, or making money by selling products, he said.