Facebook says it stamped out some dangerous account-stealing malware

(Image credit: Shutterstock / Crystal Eye Studio)

Social media powerhouse Facebook says it has thwarted a cybercrime campaign in which hackers were stealing people’s session cookies and using certain accounts to run malicious advertising campaigns on the platform.

In a blog post, Facebook said it discovered an infostealer called “NodeStealer” being distributed throughout the platform. NodeStealer is a malware written in JavaScript and executed through Node.js, whose goal is to scan the target endpoint for session cookies for platforms such as Facebook, Gmail, or Outlook.

By exfiltrating session cookies, threat actors are able to access people’s accounts without knowing their login credentials. Cookies also allow them to bypass multi-factor authentication, too, making them extremely potent and a popular target among identity theft criminals. 

Running ads

Once they gain access to an account, the attackers would look for Facebook profiles that can run advertising campaigns. They would use these accounts to push misinformation or guide other Facebook users to more malware-distributing websites.

After learning of the campaign, the social media giant reported the hackers’ server to the domain registrar, which took it down on January 25, 2023, it was said. The campaign was live for roughly two weeks, they said, adding that the threat actors were most likely of Vietnamese origin.

Cookies have become a major liability in recent times, which is why Google announced plans to ditch them from web browsers altogether. However, a report from early February this year states that users shouldn’t expect anything concrete before late 2024 or early 2025. 

Google’s project Privacy Sandbox hopes to phase out third-party cookies and limit covert tracking, but this involves building new technologies, working with publishers and developers, and collaborating with the entire industry, which seems to be taking a long time. By previous calculations, third-party cookies should have been gone by the end of last year. Then, Google said it had pushed its deadline to the end of 2023. Now, though, we’re looking at the end of 2024.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.