A team of website security specialists detected and exposed a campaign that, taking advantage of Libya-related news, began deploying dozens of fake Facebook sites and profiles to distribute malware over the past five years.
The links used by the attackers redirected the
victims to sites that hosted malware
for Android and Windows equipments; one of the main attack vectors was the use
of a fake Facebook
profile allegedly operated by Field Marshal Khalifa Haftar, commander of the
Libyan National Army.
This fake profile was created in early April
and had more than 11k followers, posting content related to military campaigns
and conspiracy theories accusing countries such as Turkey of espionage against
Libya. Among other things, the posts in this profile also offered a so-called
app that the people of Libya could use to find information on the country’s
army.
Website security specialists firm Check Point
reported that most of these links redirected the user to sites and applications
previously identified as malicious content. Attackers infected the user with
various remote management tools such as Houdina, Remcos and SpyNote; most of
these are stored on hosting services like Google Drive and Dropbox.
The fake military posts were riddled with
writing errors and misspellings. Based on the type of errors and the form of
writing, experts are convinced that the perpetrators of this campaign are
Arabic speakers.
Afterwards, website security specialists began
searching for other pages with writing errors similar or identical to those
found in Facebook’s fake profile, discovering at least 30 additional pages, all
active since 2014. Of this set, the five pages with the most followers had, in
total, at least 400k followers.
According to specialists from the International
Institute of Cyber Security (IICS), this Facebook account also leaked
confidential information, possibly stolen from the victims of this campaign.
The data included documents belonging to the Libyan government, emails, and government
officials’ telephone numbers and passports photos. In recent days Facebook
posted a statement mentioning that the pages had already been deleted.
