Security Experts:

Connect with us

Hi, what are you looking for?



Facebook Details Malware Campaign Targeting Its Ad Platform

Facebook on Thursday released a detailed technical report on a malware campaign that targeted its ad platform for years.

Facebook on Thursday released a detailed technical report on a malware campaign that targeted its ad platform for years.

Referred to as SilentFade (Silently running Facebook ADs with Exploits), the malware was identified in late 2018 and the vulnerability it was exploiting to stay undetected was patched soon after. Facebook took legal action against the malware operators in December 2019.

The malware exploited a server-side flaw to persistently suppress notifications and ensure that the infected users would not be made aware of suspicious activity related to their accounts. This allowed SilentFade to abuse the compromised accounts and run malicious ads without the victims noticing anything.

Although the malware was first detected in the final week of 2018, the cyber-crime group behind it is believed to have been operating since 2016, constantly adapting to new Facebook features and likely expanding to other social platforms and web services as well.

Distribution channels for SilentFade include potentially unwanted program (PUP) bundles within pirated copies of legitimate software and other malware families. The PUP bundles would include a downloader component that would fetch a standalone malware component meant to achieve persistence and download malicious DLLs into Chrome’s application directory, to perform DLL hijacking.

Next, the malware would steal Facebook login credentials from Internet browsers, would retrieve metadata about the Facebook account, and send the information to the command and control (C&C) servers. The victim’s IP address was logged as well, for geolocation purposes.

“Based on a review of the data collected by SilentFade, it’s likely that compromised user accounts that had at least a linked payment method were deemed more valuable. SilentFade, or its customers, would then be able to use the compromised user’s payment method (credit card, bank account, or PayPal account) to run malicious ads on Facebook,” the social media platform explains.

If no page or linked payment information was attached to the account, the attackers used stolen credit card data to create pages and run ads. According to Facebook, however, no user payment information details were exposed to the attackers.

The malware included anti-VM checks and targeted Facebook-specific credentials and cookies stored on the local machine only. It also leveraged access to the Graph API to gather additional information on the victim, and took specific action to get around the security checks that Facebook had in place, such as asking for user permission.

Notification alerts were completely turned off for the compromised accounts, thus preventing users from receiving alerts on the suspicious activity taking place. Login alerts and Facebook Business pages were blocked as well.

After identifying the malicious activity, Facebook patched a server-side validation flaw, reverted the blocked notification state on all affected accounts, forced password resets, invalidated sessions, added more fixes and detection mechanisms, and reimbursed affected users.

Facebook’s investigation into SilentFade, which saw collaboration from Radware, Bitdefender, Atlassian/BitBucket and Google/VirusTotal, enabled attribution, and in December 2019 the company sued Chinese firm ILikeAd Media International Company Ltd. and two of its employees, namely Chen Xiao Cong and Huang Tao, for creating and operating the malware.

SilentFade authors, however, modified their code to ensure it can work even with Facebook’s new mechanisms in place, and started employing obfuscation to hinder detection.

The social platform also discovered additional Chinese malware that are part of an ecosystem targeting Facebook users and says that such attacks were active as of June 2020. Some of the names it mentions in a report made public on Thursday include StressPaint, FacebookRobot, and Scranos.

“We believe this ecosystem spread its wings again in early 2019 with the release of two newer malware families, ‘Scranos’ and ‘FacebookRobot’, first seen in April and June 2019, respectively,” the company notes.

Related: Malicious Behavior Allegedly Found in Advertising SDK Used by 1,200 iOS Apps

Related: Ad Fraud Operation Accounted for Large Amount of Connected TV Traffic

Related: Malware Framework Gathers 1 Billion Ad Impressions in 3 Months

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.