Social media giant Facebook has successfully disrupted a cybercrime campaign that involved the theft of session cookies and the exploitation of compromised accounts to run malicious advertising campaigns. The campaign was discovered by Facebook’s security team, who identified an info stealer called “NodeStealer” being distributed on the platform. NodeStealer, a JavaScript-based malware executed through Node.js, specifically targeted session cookies associated with platforms like Facebook, Gmail, and Outlook.
By stealing session cookies, hackers gained unauthorized access to user accounts without needing login credentials. These stolen cookies also bypassed multi-factor authentication measures, making them a valuable asset for identity theft criminals. Once inside the compromised accounts, the attackers sought out Facebook profiles capable of running advertising campaigns. They then used these accounts to disseminate misinformation and direct unsuspecting users to websites hosting additional malware.
Upon discovering the campaign, Facebook promptly reported the hackers’ server to the domain registrar, resulting in its takedown on January 25, 2023. The campaign had been active for approximately two weeks, and the threat actors are believed to be of Vietnamese origin. The incident underscores the ongoing risks associated with session cookies and their potential exploitation by malicious actors.
While the industry is working towards addressing the risks posed by cookies, progress has been slower than anticipated. Google’s Privacy Sandbox project aims to phase out third-party cookies and limit covert tracking, but implementation has been delayed. Initially scheduled to be phased out by the end of 2022, the deadline has been extended multiple times, with the current projection suggesting their removal by the end of 2024 or early 2025. The complexity of building new technologies, collaboration with publishers and developers, and industry-wide coordination has contributed to the extended timeline.
