Cybersecurity technology company Bitdefender Labs has identified a new computer virus called NodeStealer that is spreading online. The malware seeks to exploit user behavior, and marks a dangerous turn in cybercrime tactics on Facebook.
NodeStealer is designed to plunder the user’s cookies and passwords, and exploits web browser data to hack into user’s Facebook accounts. The scale of these campaigns is reported to be enormous.
In order to carry out their attacks, hackers use sophisticated malware campaigns that appear in the form of ads, also known as malvertising.
The ads often appear as if they originate from Meta, Facebook’s parent company, but in reality they enable the NodeStealer virus download, which then allows hackers to track users’ online activity.
For example, hackers will use something appealing—such as images of attractive young women—to lure in unsuspecting users. Clicking on the image, however, can unleash a virus that then steals the user’s passwords and personal details.
Researchers from Bitdefender have identified at least 10 Facebook business accounts that were hacked in order to distribute these types of ads. An associated link is often posted alongside the ad, that says “Photo Album.”
When clicking on this link, a malware file is downloaded onto the user’s computer, which in turn facilitates access to browser cookies and passwords, opening the door for the hackers to get into the user’s accounts.
Bitdefender’s analysis estimates that as many as 100,000 potential downloads can be achieved using the fake ads, and that a single ad can amass up to 15,000 downloads in a 24-hour period.
The nature of the virus attacks appear to be highly targeted. By using ad credit balances from hacked business accounts, the ads are distributed to specially selected demographics, with males over 45 the most severely impacted.
A Mutating Virus
What’s even more concerning is the rapid transformation the virus has undergone. When it was first identified by Meta’s security team early this year, its primary function appeared to be one of stealing browser cookies and hijacking accounts at scale. However, the virus now has features to penetrate additional platforms.
This means that programs like Gmail and Outlook can also be potentially compromised. NodeStealer’s enhanced modifications can go as far as stealing crypto wallet balances and downloading further malicious payloads.
Fake Facebook pages with names like “Album Update” or “Hot Album Update Today” entice users with the promise of revealing content, but merely serve as a cover for spreading NodeStealer malware.
A compromised device can also allow cybercriminals to hack into Facebook accounts and target sensitive information. The hackers then have the opportunity to alter passwords and even lock users out of their accounts, which can result in anything from financial theft to identity fraud—all the while going undetected by Meta’s security measures.
There are, however, options for users to protect themselves from these attacks.
According to Bitdefender, a reputable antivirus protection system is essential. It is also advised to be cautious in any online interactions, such as not clicking on links from unknown or untrustworthy sources. This applies especially to links with unusual notifications, or unsolicited pop-ups.
For the NodeStealer virus in particular, any suggested downloads should be treated with caution, such as prompts to download photo albums. If the sources provided are Bitbucket, Gitlab, or Dropbox, they are likely traps set by cybercriminals to ensnare unsuspecting users.
It is also recommended that users keep an eye out for any unusual account activity. This can include unexpected password-reset emails, unrecognized logins, or uninitiated security changes.
Sharing knowledge and experiences with others, such as friends, family, and co-workers can also help reduce the spread of such online traps.
