How hackers took over Facebook accounts to steal $4 million, promote scams

“We anticipate more platform-specific malware to appear," Facebook researchers said.
Facebook ad fraud takedown
Jimmy Baikovicius/Flickr

Facebook has fended off plenty of phony, pill-pushing ad campaigns over the years, but the company disrupted one effort last year that was particularly pernicious, and effective.

Hackers defrauded Facebook users out of more than $4 million in a scheme that security staffers have connected to a cybercrime network in China.

The details, revealed Thursday, demonstrate how attackers breached hundreds of thousands of Facebook accounts, scouring for users with payment methods attached to their profile, such as PayPal. The attackers would disable users’ notifications, and abuse their access to the victim account to place advertisements for diet pills and counterfeit products.

The hackers delivered their malware, dubbed SilentFade, through web browsers, rather than Facebook itself, making it more difficult to detect and root out.


“We anticipate more platform-specific malware to appear for platforms serving large and growing audiences, as the evolving ecosystem targeting Facebook demonstrates,” Facebook researchers Sanchit Karve and Jennifer Urgilez wrote in a paper released Thursday.

The alleged China-based scammers, who first surfaced in 2016, have also abused the Twitter and Amazon platforms. They have repeatedly updated their code, explored new hacking tools and used geolocation to try to make their Facebook logins appear legitimate.

“This type of malicious targeting…touches every platform,” Nathaniel Gleicher, Facebook’s head of security policy, told reporters on Thursday. “Once people’s devices or browsers get compromised by downloading malicious software off the internet, mitigation and detection options by tech platforms can be quite limited.”

The value of ad platforms

After discovering that campaign in 2018, Facebook in December 2019 sued two Chinese nationals and a company in Hong Kong for their alleged involvement, and asked a federal court to help stop the defendants from using the platform. Facebook also instituted tighter security measures for accounts in response.


While the password-stealing malware used in that campaign has gone quiet after Facebook discovered it, the alleged scammers have turned to other hacking tools.

“The [Facebook] report underscores just how valuable the ad platforms on social media are to cybercriminals because they allow them to hyper-target a specific audience — something that was once not feasible,” Satnam Narang, staff research engineer at security firm Tenable, told CyberScoop.

As social media firms have gotten better at detecting fake accounts, Narang said, “cybercriminals have had to pivot away from their usual tactics and have found that leveraging compromised accounts provides them with cover to continue operating their scams.”

Facebook has increasingly taken to the courts to try to stamp out fraudsters who have exploited the platform. In March 2019, the social media company sued two Ukrainian men for allegedly using the platform’s quiz apps to distribute malware.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts