arrow left Back

SilentFade: unveiling Chinese malware abusing Facebook ad platform

17:00 - 17:30 UTC Thu 1 Oct 2020
Sanchit Karve (Facebook) & Jennifer Urgilez (Facebook)
In this talk we will uncover a Chinese ecosystem that uses three distinct malware families to target Facebook users and commit ad fraud. One of these families, SilentFade, at its peak in early 2019, compromised over 300k Facebook accounts and caused over $4M in ad-fraud related damages within just three months.

While these malware families were initially discovered in December 2018, when a suspicious traffic spike across a number of Facebook endpoints indicated a possible malware-based account compromise attack, our investigations revealed that the group behind them has been operating since at least 2016 and began actively targeting Facebook users in April 2017.

The attackers utilized a number of interesting techniques including exploiting a bug within the 'Block User' subsystem on Facebook that prevented users from receiving notifications about suspicious login and ad activity. This specific technique allowed the attackers persistence on accounts by hiding in plain sight without alerting the user that anything was amiss. The attackers primarily ran malicious ad campaigns, often in the form of pharmaceutical pills and spam with fake celebrity endorsements.

The attackers also posed detection challenges as they relied heavily on cloaking their landing pages, while also using the legitimate credit cards and PayPal accounts linked to the user accounts that were compromised, making it seem like the purchases could be trusted. By using a modular architecture with watcher components across multiple files, SilentFade ensured extended persistence to run malicious ads undetected as long as possible. However, in December 2019, at the end of an extensive investigation, Facebook pursued legal action against the responsible parties.

SilentFade is representative of a change in the last two decades in which information-stealing components such as SilentFade have been integrated with malware in such a way that infostealers are now synonymous with the term malware. Additionally, rarely in industry are we ever able to see an end-to-end picture of credential compromise directly leading to abuse on a particular platform. However, in this talk we will be able to provide that end-to-end picture. We will dive deep into the full attack cycle used by this actor group and look at the inner workings of the SilentFade malware, the 'Block User' exploit, its two malware cousins, as well as the ads run from compromised accounts, and the cloaking elements they used to hide. We will also shed light on the challenges involved in detecting and remediating malware compromised accounts from the perspective of a web service that typically has no control over the compromised endpoints that access these Internet services.
Sanchit Karve
Facebook Sanchit Karve is a malware researcher and security engineer at Facebook. Prior to that he was fighting malware in McAfee Labs' Threat Intelligence & Escalations team. He holds a Master's degree in computer science from Oregon State University and was awarded Virus Bulletin's Péter Szőr Award for best technical research in 2015 for his work on the Beebone botnet which facilitated its takedown by global law enforcement agencies earlier that year. You can find him in his spare time binge-gaming RPGs, hiking aimlessly across the Bay Area, or wherever heavy metal gigs take him.
Jennifer Urgilez
Facebook Jennifer is an information security analyst at Facebook focusing on eCrime. Prior to this, she was a cybercrime subject matter expert for the FBI, where she focused on priority malware campaigns impacting critical infrastructure. She holds a Master’s degree in cybersecurity from Carnegie Mellon University and a political science degree from Yale. During her spare time, she enjoys hiking.