Threat actors have launched a sophisticated malvertising campaign on Meta, duping content creators and businesses with deceptive video tutorials and a malicious browser extension that promises to unlock the coveted blue verification tick.
At least 37 ads originated from the same Facebook account, each embedding a Box.com link to host the extension installer and associated tutorial video.
Bitdefender researcher Ionut Baltariu attributes the operation to Vietnamese-speaking actors, as evidenced by Vietnamese narration and inline code comments explaining how to customize the fake tick’s size and position.
How the Campaign Operates
The malicious ads employ a multi-stage infection chain. First, victims click on a sponsored tutorial video that appears to demonstrate how to add verification features via a browser extension.
The video includes voice-over instructions in Vietnamese, guiding users to download a .CRX file from Box.com. Once installed, the extension injects a script into Facebook pages, intercepting calls to the session cookie jar.
The exfiltration routine sends stolen cookies and the user’s IP address—retrieved via an HTTPS call to ipinfo.io/json—to a Telegram bot under attacker control.
Analysis of the extension’s source reveals that the code was likely generated or assisted by AI. The obfuscation is weak, relying on generic variable names like var1 and dataTransfer, but still accomplishes its task.
Commented sections labeled “adjustable parts” enable rapid modification of exfiltration endpoints and compatibility tweaks for different browsers. This modular design indicates an industrialized workflow: ad creatives, tutorial videos, and extension variants can be mass-produced and cycled to evade platform takedowns.
Escalation to Facebook Business Account Hijacking
Beyond cookie theft, specific extension variants leverage the stolen access tokens to query the Facebook Graph API. Attackers enumerate connected Business accounts, harvest their IDs and names, and package them for sale in underground Telegram channels.
Compromised Business accounts fetch a premium price on illicit markets, as they carry admin access to Pages, ad budgets, and audience data. These hijacked accounts subsequently fuel new malvertising campaigns, creating a self-sustaining revenue loop that amplifies the threat.
Victims often overlook the risk because the initial unauthorized action is limited to a brief cookie grab, with no immediate visible impact.
By the time business owners realize their ad budgets are depleted or their Pages have been repurposed for new scams, attackers have already monetized the access.
Best Practices to Defend Against Verification Scams
There is no legitimate browser extension that grants Meta verification. Users should only install extensions from trusted repositories such as the Chrome Web Store or Firefox Add-ons.
Organizations and creators must enforce strict extension policies through enterprise-grade endpoint protection. Enabling multi-factor authentication and monitoring login alerts can block unauthorized sessions.
Security solutions like Bitdefender Scamio detect and sandbox suspicious URLs, while Digital Identity Protection tracks signs of data exposure.
For small businesses, specialized suites such as Bitdefender Ultimate Small Business Security defend against malicious extensions, phishing attempts, and ransomware, ensuring that social media presence remains secure even under targeted campaigns.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
