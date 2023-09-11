城市生活

新的網絡釣魚攻擊針對 Facebook Messenger 用戶

By薇琪斯塔夫羅普盧

11 年 2023 月 XNUMX 日
A recent phishing attack is spreading through Facebook Messenger, using a network of fake and hijacked personal accounts to send messages with malicious attachments. Known as MrTonyScam, the campaign originates from a Vietnamese-based group and employs a multi-stage process with obfuscation methods to deploy a Python-based stealer.

In these attacks, potential victims receive enticing messages that prompt them to click on RAR and ZIP archive attachments. These attachments contain a dropper that fetches the next-stage payload from a GitHub or GitLab repository. The payload, in turn, includes an obfuscated Python-based stealer that extracts login credentials and cookies from various web browsers, sending them to an actor-controlled Telegram or Discord API endpoint.

An interesting tactic used by the attackers is to delete the stolen cookies after taking them. This logs the victims out of their accounts, giving the scammers an opportunity to hijack their sessions, change passwords, and take control of the accounts.

The presence of Vietnamese language references in the source code of the Python stealer, as well as the use of Cốc Cốc, a popular Chromium-based browser in Vietnam, suggests the threat actor’s links to the country.

The campaign has had a relatively high success rate, with an estimated 1 out of 250 victims being infected in the past 30 days. Most of the compromises have been reported in countries such as the U.S., Australia, Canada, France, Germany, Indonesia, Japan, Nepal, Spain, the Philippines, and Vietnam.

The motivation behind these attacks is the potential monetization of Facebook accounts with high reputation, seller ratings, and a large number of followers. These accounts can be sold on dark markets or used to spread advertisements and scams to a wide audience.

It is important for Facebook Messenger users to be cautious when opening attachments or clicking on links, especially from unfamiliar senders. Keeping software and browsers up to date and using strong, unique passwords for online accounts can also help protect against phishing attacks.

Sources: Guardio Labs, WithSecure, Zscaler ThreatLabz

By 薇琪斯塔夫羅普盧

