A team of website security specialists detected and exposed a campaign that, taking advantage of Libya-related news, began deploying dozens of fake Facebook sites and profiles to distribute malware over the past five years.
The links used by the attackers redirected the victims to sites that hosted malware for Android and Windows equipments; one of the main attack vectors was the use of a fake Facebook profile allegedly operated by Field Marshal Khalifa Haftar, commander of the Libyan National Army.
This fake profile was created in early April and had more than 11k followers, posting content related to military campaigns and conspiracy theories accusing countries such as Turkey of espionage against Libya. Among other things, the posts in this profile also offered a so-called app that the people of Libya could use to find information on the country’s army.
Website security specialists firm Check Point reported that most of these links redirected the user to sites and applications previously identified as malicious content. Attackers infected the user with various remote management tools such as Houdina, Remcos and SpyNote; most of these are stored on hosting services like Google Drive and Dropbox.
The fake military posts were riddled with writing errors and misspellings. Based on the type of errors and the form of writing, experts are convinced that the perpetrators of this campaign are Arabic speakers.
Afterwards, website security specialists began searching for other pages with writing errors similar or identical to those found in Facebook’s fake profile, discovering at least 30 additional pages, all active since 2014. Of this set, the five pages with the most followers had, in total, at least 400k followers.
According to specialists from the International Institute of Cyber Security (IICS), this Facebook account also leaked confidential information, possibly stolen from the victims of this campaign. The data included documents belonging to the Libyan government, emails, and government officials’ telephone numbers and passports photos. In recent days Facebook posted a statement mentioning that the pages had already been deleted.