Malware Targets Facebook Ads Manager to Stealing Credit Card Data

Cybersecurity researchers are raising alarms over an upgraded version of NodeStealer, a Python-based malware designed to infiltrate Facebook Ads Manager accounts and steal sensitive information, including credit card data stored in web browsers.

This updated malware variant now employs advanced tactics, such as utilizing the Windows Restart Manager to access browser database files, embedding junk code, and using batch scripts to dynamically create and execute Python code.

By targeting the Ads Manager accounts of its victims, NodeStealer may facilitate malicious advertising campaigns on Facebook, referred to as “malvertising.”

First introduced by Meta in May 2023, NodeStealer originally functioned as JavaScript-based malware but has since evolved into a Python script capable of hijacking Facebook accounts. Researchers believe that Vietnamese threat actors are behind this malware, given their documented history of exploiting malware to control Facebook advertising and business accounts for other illegal activities.

The most recent analysis shows that NodeStealer’s reach has expanded, targeting Facebook Ads Manager and Business accounts, which are critical for managing advertising campaigns across Facebook and Instagram.

The goal appears to be not only account takeover but also using compromised accounts for malvertising campaigns. These campaigns spread malware disguised as legitimate software or games to unsuspecting users.

According to researchers, the malware operates by generating an access token using cookies collected from the victim’s device, enabling it to retrieve account budget details via the Facebook Graph API. Interestingly, the malware avoids infecting systems located in Vietnam, likely to bypass local law enforcement scrutiny.

Some samples also exploit the Windows Restart Manager to unlock database files used by web browsers, enabling the theft of credit card data. The stolen information is then transmitted via Telegram, demonstrating how cybercriminals leverage popular messaging platforms despite policy changes aimed at curbing misuse.

Malvertising remains a profitable attack vector, with cybercriminals impersonating trusted brands to spread malware. For instance, a recent campaign launched on November 3, 2024, impersonated Bitwarden password manager software in Facebook-sponsored ads to distribute a malicious Google Chrome extension.

This demonstrates how threat actors continue to exploit trusted platforms like Facebook, leading to significant financial losses for both individuals and businesses.

To protect against such threats, individuals and organizations should adopt strong cybersecurity practices. These include using robust and unique passwords, enabling multi-factor authentication (MFA), and regularly monitoring ad accounts for suspicious activity.

Organizations should also educate employees on recognizing phishing attempts and use endpoint protection tools to detect and block malware.