In one of the largest malware campaigns discovered to date using the social media platform Facebook, a suspected Libyan hacker managed to access the private information of tens of thousands of victims by causing them to click on links and files posted on both fake and legitimate pages and groups on the platform, researchers at Israeli cybersecurity firm Check Point Software Technologies Ltd. said.
“It is the largest malware campaign over Facebook that has ever been discovered,” said Lotem Finkelstein, who heads the threat intelligence desk at Check Point in Tel Aviv, in a phone interview. The campaign apparently aimed at both political and financial gain, he said. The victims were mainly from Libya, with some from Europe, the United States and Canada.
The discovery underlines that no platform is safe. Phishing, Finkelstein said, “is just technique” and hackers can use any platform, whether Facebook or WhatsApp or any other app, to plant malicious links in emails, messages or files.
The researchers have worked closely with Facebook over the past month to delete all of the 40 pages that were active in 2019, which lured 50,000 people just this year to fall into the “infection chain,” Finkelstein said.
These victims, who unwittingly clicked on links they received on their devices — cellphones or computers — were infected with Trojan malware that accessed their photos, passport numbers, identity cards and other sensitive information. The malware was delivered via links to ostensible reports leaked from Libya’s intelligence units exposing countries such as Qatar or Turkey conspiring against Libya, or ostensible photos of a captured pilot who tried to bomb the capital city of Tripoli, for example.
But instead of the promised content in the posts, the links would download the malware.
Among the people whose sensitive information was stolen were three “leading Libyan politicians” and the country’s Prime Minister Fayez al-Serraj, Finkelstein said. The hacker then made that sensitive information public.
In a blog post on Monday, Check Point researchers said the investigation started when they came across a Facebook page impersonating the commander of Libya’s National Army, Khalifa Haftar. Haftar’s forces are fighting against Libya’s internationally recognized government, and he is a key figure in the country’s ongoing civil war.
Tracking spelling and grammatical mistakes
The researchers noticed that the page impersonating that of Haftar had numerous spelling mistakes, including the name of Haftar himself and grammatical mistakes in Arabic, “that were found in almost every post.” All of these were giveaways about the illegitimacy of the page.
“Those spelling mistakes are not ones that can be generated by online translation engines, and can indicate that the text was written by an Arabic speaker,” the blog said.
By looking up the unique mistakes, the researchers were then able trace more than 40 Facebook pages that have been spreading malicious links since at least 2014. Some of those pages are extremely popular, have been active for many years, and are followed by more than 100,000 users.
Some of the most popular pages are one titled Official Libya, with 51,000 followers; Libya My People, with 110,000 followers; and the Emad al-Trablisi Official page, with 139,500 followers.
The pages deal with different topics but the one thing they have in common is their apparent target audience: Libyans, the post said.
Some of the pages impersonate important Libyan figures and leaders, others are supportive of certain political campaigns or military operations in the country, and the majority are news pages from cities such as Tripoli or Benghazi.
What can be learned from this incident, said Finkelstein, is that people should not click on links and files without first assessing the credibility of the information, he said. “Question the credibility of the person who is sending you the file, and question the legitimacy of the information sent.”
A Facebook spokesperson said in comment: “These Pages and accounts violated our policies and we took them down after Check Point reported them to us. We are continuing to invest heavily in technology to keep malicious activity off Facebook, and we encourage people to remain vigilant about clicking on suspicious links or downloading untrusted software.”