- Researchers have found two new malvertising campaigns distributing fake browser extensions to steal sensitive data.
- Fake “Meta Verified” extensions and AI-powered ad optimization tools are promoted through malicious ads and fraudulent websites.
- Some extensions collect Facebook session cookies, send information to attacker-controlled Telegram bots, and use the Facebook Graph API for further data theft.
- The campaigns target Meta Business and Ads accounts for resale or future attacks, creating a recurring risk cycle.
- Vietnamese-speaking threat actors are likely behind the campaigns, using legitimate platforms for large-scale distribution.
Cybersecurity experts have reported two separate campaigns using malicious ads and fake websites to spread harmful browser extensions. The campaigns, active as of September 2025, are targeting users worldwide in an effort to steal Facebook and Instagram account information.
According to Bitdefender, one operation distributes a phony Meta Verified browser extension called SocialMetrics Pro. The extension is pushed through at least 37 fraudulent ads and claims to provide users with the blue verification checkmark for their social media profiles. The ads include video instructions to guide victims through the installation process.
The extension is hosted on the legitimate cloud service Box and can collect Facebook session cookies and IP addresses, forwarding them to a Telegram bot under attacker control. Some versions use the stolen session data to access the Facebook Graph API, likely to gather more details about the compromised accounts. Bitdefender noted that similar tactics have been used by Malware families like NodeStealer.
The main objective of these campaigns is to take over Facebook Business and Ads accounts. Stolen accounts are then traded on underground forums or used for more malvertising, leading to further account hijacks. Bitdefender stated, “By using a trusted platform, attackers can mass-generate links, automatically embed them into tutorials, and continuously refresh their campaigns.” Vietnamese-language narration and code comments indicate the threat actors are likely Vietnamese-speaking criminals known for attacking Meta accounts.
A second scheme identified by Cybereason involves fake Chrome extensions marketed as Artificial Intelligence tools for improving ad performance, like the imitation platform Madgicx Plus. The company explained, “The extensions are promoted as productivity or ad performance enhancers, but they operate as dual-purpose malware capable of stealing credentials, accessing session tokens, or enabling account takeover.” Some of these extensions are still available in the official Chrome Web Store.
Once installed, the extensions capture sensitive data, monitor browsing activity, and prompt users to link their Facebook and Google accounts, covertly harvesting identities. These extensions use Facebook credentials to interact with the Facebook Graph API for expanded compromise.
Both campaigns use trusted platforms for widespread distribution and employ staged methods—first capturing Google data, then expanding to Facebook accounts—to maximize their reach.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Morgan Stanley Doubles Down on ‘Dollar Smile’ Amid 2025 Drop
- Russia Exposes America’s $37 Trillion Debt ‘Reset’ Plan Using Cryptocurrency — But BRICS Nations Are Fighting Back
- Russian Official Proposes Crypto Bank to Combat Illicit Transactions
- CHILLYHELL, ZynorRAT Malware Target Windows, Mac, and Linux Systems
- Dogecoin Set for 16% Surge, Bullish Momentum Builds for DOGE
