SOCRadar® Cyber Intelligence Inc. | Scammers Distribute Malware via Verified Account Ads on Facebook


May 11, 2023
3 Mins Read

Scammers Distribute Malware via Verified Account Ads on Facebook

Scamming campaigns frequently involve threat actors impersonating businesses or significant individuals. However, a recent trend of Facebook ad scams has been especially threatening, with scammers potentially infecting a large number of people with malware.

Several verified Facebook pages were recently hacked and started distributing malware via ads purchased through and approved by the platform. The threat actors behind the campaign compromised popular Facebook accounts, then purchased Facebook ads to target users; in some cases, they changed account names to impersonate Facebook and Google, in an effort to deceive more users.

Scam Ads Impersonating Meta and Google AI

Matt Navarra, a social media consultant, was among the first to notice some of these ads and shared them on Twitter. The fake accounts shared dubious links and possibly reached out to many Facebook users due to paid promotional content. Below, you can see how threat actors impersonated Meta Ads to trick Facebook users into clicking a link, supposedly to download a new and more secure ad management tool.

Threat actors impersonate Meta Ads and Meta Ads Manager
Threat actors impersonate Meta Ads and Meta Ads Manager (Source: Twitter)

In one case where scammers impersonated Google AI, they instructed users to visit alleged links for Bard, which is Google’s AI chatbot. Prior to April 29, the account was under the name of an Indian celebrity, Miss Pooja, and had been active for a long time, amassing more than 7 million followers.

Threat actors attempt to distribute malware using the name of Google AI
Threat actors attempt to distribute malware using the name of Google AI (Source: Twitter)

Facebook’s Name Change History Feature Doesn’t Prevent Scams 

To increase transparency, Facebook publicly displays a history of name changes for verified accounts. However, despite this safeguard, certain scams continue to slip through. 

Recently, hacked pages impersonating major tech companies, including Meta, were able to purchase Facebook ads and distribute suspicious download links.

Despite recent changes in their account names, these ads were still approved by Meta’s automated system. Nevertheless, all the pages identified as impersonators by Navarra have now been disabled.

AI-Themed Malware Scams Like Ducktail are Targeting Facebook Users

Meta has reported a series of malware scams that use AI-themed chatbots to trick Facebook, Instagram, and WhatsApp users into downloading malware. 

One such malware is DuckTail, which has been targeting Facebook users since 2021 and can steal sensitive information, including two-factor authentication codes

The scammers behind these attacks may have compromised Facebook pages that purchased malware-laden ads. Although Meta invests in detecting and preventing scams, scammers continue to find ways to bypass their security measures.

SOCRadar’s RiskPrime: Protecting Brands from Social Media Threats

The widespread use of social media platforms such as Twitter, Facebook, and Instagram has created opportunities for cybercriminals to engage in fraud, phishing, and the spread of false information. 

SOCRadar's Brand Protection
SOCRadar’s Brand Protection

This can lead to damage to a company’s reputation. SOCRadar’s RiskPrime offers real-time detection and monitoring of potential threats on social media, including fake phishing profiles using a company’s brand name, detection of APT (Advanced Persistent Threat) groups’ activities, monitoring for campaigns that aim to harm a company’s reputation, and the ability to detect unauthorized changes to a company’s own social media accounts.