How SilentFade group steals millions from Facebook ad spend accounts

Facebook is a magnet for scammers, thieves and other bad actors looking to swindle and manipulate the social media giant’s vast pool of users. One group discovered by Facebook’s in-house researchers took such a sophisticated approach to bilking Facebook users that it walked away with $4 million in an elaborate ad fraud scheme that went undetected by its victims.

Sachit Karve, speaking both for himself and fellow Facebook security researcher Jennifer Urgilez, offered more details about this scheme at the VB 2020 conference last week. Facebook insiders call the group behind it SilentFade and discovered that it came from a Chinese malware ecosystem that used different types of malware in its cybercrime sprees.

Facebook discovered the malware family near the end of 2018 but traced its origins back to 2016. SilentFade has a keen focus on social media targets. “SilentFade is interesting to us as it explicitly targets users of social networks and more recently services with social components like Amazon,” Karve said.

The name SilentFade comes from “Silently running Facebook ads with exploits.” “The malware is capable of running ads on Facebook, without the user’s knowledge, by exploiting a bug on the platform,” Karve said at the conference.

Facebook first noticed something was wrong when traffic on the platform spiked on December 22, 2018. After digging into the traffic logs, the researchers found that some unknown malware was stealing Facebook cookies and credentials and was exploiting a vulnerability to stay hidden from compromised users.

How SilentFade works

In terms of functionality, SilentFade is slick and complex. It steals Facebook credentials in the form of stored passwords and cookies stored in browsers and recreates basic profile information such as the number of friends a compromised user has, any old pages on the user’s profile, and the amount of money the user has left to spend running Facebook ads. It then checks that the user has a valid credit card or PayPal account linked to their Facebook account.

Like many info-stealers, SilentFade reads the log-in data cache file that Chromium-based browsers use to read saved passwords, Karve said. SilentFade also collects session cookies, which are essentially tokens issued post-authentication, allowing the malware to bypass multi-factor authentication because it already has the token that is issued after a successful login. The malware is then able to successfully make requests to Facebook as an authenticated user.

One key to how the malware works is that it gains access to Facebook’s GraphAPI. It does this by hijacking the ads manager access token in the HTML response of the Facebook Ads Manager page. Once the token is extracted, SilentFade can get a list of all payment methods linked to an account, information about linked credit cards (although no credit card numbers), and the balance in the Facebook ad account.

A set of Facebook-specific binaries minimize the chances of users detecting SilentFade by limiting all notifications from Facebook, whether through SMS, email or push notifications. SilentFade can even disable sound notifications to stay silent.

“The malware authors have spent a lot of time tinkering with Facebook settings long enough to find a vulnerability, which they took advantage of and use the opportunity to exploit,” Karve said. As a consequence, users are not notified of suspicious logins or activity, even when Facebook’s security system detects abnormal behavior.

Users aren’t able to unblock the notification settings that SilentFade tinkers with and the blocked pages used in the notification process remain in an irreversible state. To remediate these issues, Facebook added confidence checks to ensure that all blocks are reversible and took a series of other actions such as forcing password resets for affected users, terminating all active sessions of users hit by the exploit and making the login alerts and the business pages unlockable.

Tapping into the underground ad economy

“Once SilentFade infects the system, it literally uses sessions and access tokens to retrieve account information and link to payment methods. They are then exported to [SilentFade’s command-and-control] servers and possibly sold in an underground marketplace to the highest bidder based on the account value,” Karve said.

Once successful underground buyers can log into the accounts using the same legitimate sessions they’ve been sold, they can then create an ad, usually for low-level goods such as counterfeit sunglasses, while using the victim’s ad payments to pay for it. They also use fake celebrity endorsements for weight loss pills and peddle male enhancement pills.

The sophistication doesn’t end there, however. Even the ads run by the scammers take strenuous steps to hide their actions. For example, if an ad targets users in Australia, it will only redirect users to the scam page if the IP address goes to Australia to avoid raising any suspicions.

Likewise, if the ad is targeted for mobile devices, only mobile devices are redirected. Similarly, the click has to originate with Facebook to see the scam page. Even images in ads are often distorted to throw off image classifiers.

Users can struggle getting out of the ad fraud loop because some fraud pages include up to a hundred bookmarks in the history stack, forcing the user to press the back button up to a hundred times to return to the previous page. “Over time we found several components to other malware that do similar things and we believe they are all a part of the same ecosystem as SilentFade,” Karve said.

SilentFade came back after remediation

Even after Facebook implemented its remediation measures to stop SilentFade, it appeared with a new version that removed the notification settings change and page blocks. The revised version experimented with different things such as string obfuscation to fool antivirus detection signatures and the use of online git repositories like Bitbucket to host payloads. The new variant also began stealing Amazon and Instagram cookies and stole information on Facebook business managers, too.

Because Facebook and other web services don’t have any of the software running on users’ endpoints, it’s difficult to detect account compromises like SilentFade in real-time. “We cannot reliably determine account compromise in real-time and we depend on endpoint protection products to protect and stop malware from infecting user devices,” Karve said. “Going forward, it may be worth considering showing users which online accounts could be compromised after a sample has been detected and helping users to reset passwords to their accounts.”

Facebook took another route to tackle the SilentFade problem in December 2019 when it filed a civil lawsuit in California against ILikeAd Media International Company Ltd. and Chen Xiao Cong and Huang Tao for creating and installing the SilentFade malware.

Despite the disruption and theft of users’ ad spend dollars, Facebook considers itself lucky. “It’s not often that we are really able to directly correlate abuse on a web platform with a credential stealer, but we were fortunate in this case to be able to do it,” Karve said. Not only that, we were able to find individuals involved in the development of this malware; we also took legal action against them in December 2019.”