Businesses’ Facebook accounts hacked to spread Redline Password Stealer malware

Vojtech Bocek 6 Sep 2022

Hacked Facebook accounts belonging to a Brazilian ISP, Mexican sporting goods store, mountain tourism site from Slovakia, and a computer repair shop in the Philippines are spreading posts linking to malware to users around the world.

Avast researchers have discovered hacked Facebook business pages spreading a password stealer called Redline Stealer, which is capable of stealing passwords and downloading further malware. The malware is available for purchase on the dark web for about $100 to $150, making it difficult to pinpoint a particular group or person hacking these accounts. 

Brazilian ISP promoting free downloads to European Facebook users 

We spotted a sponsored post on a Facebook feed a few weeks ago that was promoting a free Adobe Acrobat Reader. We were immediately suspicious, as the link shown in the post preview was “Mediafire.com”, not “Adobe.com”. Furthermore, the post came from a company called Viu Internet.
 

Viu Internet is an internet service provider from Brazil. More than 15,000 people follow their Facebook page. Since August, posts promoting free downloads of wallpaper applications, the video game Grand Theft Auto, Adobe Acrobat Reader, and Stray, also a video game, appeared on the business's Facebook page, in English. It’s obvious that the page is hacked. The style of the posts and the content the page is promoting are very different from the posts uploaded before August. 

We aren’t sure if the hackers are using the business’ payment options to pay for the sponsored posts, or if they are covering the costs themselves and just leveraging the page’s community to ensure their posts reach actual people. 

The links in the post lead to a file on a storage and sharing site. To get infected, users have to download the file, extract the contents, and run the file. 

Viu Internet is warning people visiting their homepage that their Facebook page has been hacked. It looks like they are unable to retrieve access to their account.  

In addition to Viu Internet’s Facebook page, we are aware of a few more hacked Facebook pages posting the same content. These include a Mexican sporting goods store called Max Deportes (114,000+ Facebook followers), a Slovakian mountain tourism site named Mladi, gremo v hribe (2,000+ Facebook followers), and a computer repair shop, Computer Repair Davao in the Philippines (700+ Facebook followers).

We reported these posts and ads to Facebook using the on-site reporting function, but no action was taken, yet. Avast Antivirus blocks the malware distributed by these posts.

How you can protect yourself

  1. Offers too good to be true tend to be no good. The posts promote free access to otherwise paid-for content, which is a red flag. Cybercriminals try to entice people into downloading and running malicious files by packaging them as something free and desirable. 

  2. Check your sources. The posts promoting free game downloads and software don’t match the content normally posted by the Facebook accounts. Before clicking on a link, ask yourself, why is a Mexican sporting goods store promoting free access to the video game Stray

  3. Download from trusted sources. If you are interested in downloading a game or software, download it from a reputable source, like from the software producer directly, or a trusted distribution service like Steam. 

  4. Report scams. If you see a scam or are suspicious of a post, report the scam to the social network you see it on. 

  5. Use security software. Security software, or antivirus, acts as a safety net, protecting even the most cautious users. As mentioned above, Avast Antivirus protects users from the malware spread in these posts. 

How businesses can protect their social media accounts

  1. Use strong passwords. Strong passwords protect accounts from hackers, because they are difficult to brute force. Passwords should ideally be between 15-20 characters long and include a mix of upper and lower case letters, as well as special characters.  

  2. Use two-factor authentication. Two-factor authentication requires users to enter a second code along with their username and password. This code is typically sent to a mobile number or email address associated with the account and can be generated on a mobile device. If that user isn’t trying to log in to that account, two-factor authentication can also serve as a warning system when someone else is trying to break in. 

  3. Keep an eye on charges. Regularly check bank statements for suspicious charges. Hackers who gain access to an account with credit card information saved can potentially use this information to make their own purchases. 
--> -->