How hackers stole millions of dollars from Facebook users before getting caught

Facebook has detailed how a sophisticated campaign based out of China was able to hijack accounts and buy ads using the credit card details users had on file. The ads hawked everything from diet pills to counterfeit handbags and drained $4 million from victims' wallets before Facebook caught up to the shenanigans. The company reimbursed users who were affected but didn't confirm whether or not they were made whole.

The scheme worked through a sophisticated piece of malware called SilentFade, which was buried in pirated copies of popular software applications. When a person installed the software, their computer would quietly become infected and SilentFade would begin hunting for Facebook session cookies that allowed the hackers into an account.

Stealth operations — Once inside an account, there were various ways the hackers managed to keep their ad-buying activity quiet. SilentFade would disable Facebook notifications so a user wasn't alerted to unauthorized logins or ad buys. The hackers also found a vulnerability in Facebook that rendered it impossible to turn login alerts back on. To hide from Facebook itself, they would buy ads linking to legitimate websites and, once the ads were approved, the sites would begin redirecting to shadier places.

After Facebook spotted the scam, it patched its site so that login notifications couldn't be permanently disabled and usage of the malware plummeted. It says SilentFade has been used to attack other sites, however, including Amazon and Twitter.

Is that all they did? — Certainly the hackers could have siphoned sensitive personal data off compromised accounts, or used them to spread political propaganda, but Facebook is saying there's no evidence they did anything other than buy ads.

The whole situation is reminiscent of Twitter's recent major hack when the accounts of everyone from Elon Musk to Barack Obama were hacked by a bunch of teens promoting a Bitcoin scam. In all the group managed to steal about $130,000 when they could've likely done much more damage.

Advertising fraud in particular is a big problem online. Recent reports have estimated that companies lost more than $23 billion to digital ad fraud in 2019 as bad actors find ways to profit off manipulated clicks and views of ads placed on their sites.

At its scale, Facebook has a hard time policing all the ads run on its platform, especially as in this case when legitimate-looking accounts are coopted and the target website being advertised can redirect somewhere else after the ad has been approved. Manual review of advertisements on TV and in print has given way to automatic systems that allow anyone to buy an ad with a few clicks and broadcast it to millions of people — that ease has been a positive but makes it easier for such fraudulent campaigns to hide in the shadows.