A recent report by security researchers at Bitdefender details a malicious campaign spreading through Facebook ads that promote fake “Meta Verified” browser extensions.
The campaign targets Facebook users, especially content creators and small businesses, by offering tools that claim to unlock verification features, but in reality are designed to steal account credentials and session data.
It operates through Facebook ads that claim to offer a simple way to get the blue verification badge on Facebook, which is normally available only through a paid subscription. These ads are accompanied by video tutorials demonstrating how to download and install a browser extension that supposedly enables Meta verification or other exclusive features.
But the extension is actually a piece of malware that once installed, can extract sensitive session cookies from the user’s browser, access IP information, and transmit this data to an attacker-controlled Telegram bot.
Researchers analyzing the campaign noted that:
The browser extension code appeared to be weakly obfuscated and AI-generated, with generic variable names and simplistic implementation.
Hosting was handled via Box.com, a legitimate cloud service, allowing for frequent re-use of hosting links without raising immediate suspicion.
Some variants of the extension attempt to interact with Facebook’s Graph API using stolen tokens, with a focus on identifying Facebook Business accounts. These accounts are more valuable to attackers and are often sold or used in further advertising scams.
Victims of this campaign may lose access to their personal or business Facebook accounts. Business accounts, in particular, carry higher risk due to their use in paid advertising, content promotion, and customer engagement. A compromised business account can lead to financial loss, brand damage, and further unauthorized ad spend.
Even individual accounts, once compromised, can be used to distribute additional malicious content to friends, followers, or groups, extending the campaign’s reach.
Effectiveness
The campaign relies on users’ interest in gaining verified status on Facebook, especially since Meta now requires a paid subscription for verification. By presenting the extension as a legitimate tool in an instructional video, attackers increase the chances that users will install the malware without suspicion.
To avoid similar threats, users and businesses should, aside from regularly reviewing account activity, admin access and connected applications, and enabling multi-factor authentication where available including social media account, only use only trusted platforms like the Chrome Web Store or Firefox Add-ons for extensions.
Avoid installing browser extensions from links provided in ads or unofficial sources, especially when offering offers that could be too good to be true.
Using endpoint protection and browser security tools can also help detect and block malicious extensions and scripts.
This incident highlights ongoing risks associated with social media advertising and account security. As attackers continue to adapt their methods, users should remain cautious when engaging with tools or services promoted through unofficial channels.
For a detailed breakdown of the findings, you can read the original report on Bitdefender’s official blog here.
Leave a Reply