Fake Facebook Warlord Used to Spread Malware, Researchers Say
In one of the largest malware campaigns to exploit Facebook Inc., a suspected Libyan hacker lured tens of thousands of people into exposing personal information and granting access to personal devices, Israeli cyber security company Check Point Software Technologies Ltd. said.
A Facebook page impersonating Khalifa Haftar, the head of a militia fighting Libya’s internationally recognized government, was Check Point’s first clue to an attack that had been going on for five years, the company said. Repetitive spelling mistakes in Arabic that suggested dyslexia helped researchers track other pages set up by the hacker, who used an avatar called Dexter Ly, it added.
“Facebook is not widely used to infect people with malware,” said Lotem Finkelstein, Check Point’s head of research. “This is probably one of the biggest malware campaigns using the platform.”
While Facebook itself wasn’t breached, according to Check Point, the hack highlighted how social media platforms can be abused to carry out attacks. In all, about 50,000 users from North Africa, Europe and the U.S. clicked on infected links that included alleged reports from Libyan intelligence units exposing Qatar or Turkey as conspiring against Libya, or bogus photos of a purportedly captured pilot who tried to bomb Libya, Check Point said. Others were supposed to lead to mobile recruitment sites for Haftar’s armed forces.
Facebook said it couldn’t confirm the figures.
Facebook users have been previously hit by malware attackers, include a 2017 hack that used its Messenger feature to infect computers with malware that mined cryptocurrency. Facebook and other social companies have also come under assault for failing to curb fake news on their platforms. Facebook has said it removed 2.2 billion fake accounts in the first quarter alone.
The suspected Libyan hacker has since shared sensitive information culled through the attack, including secret Libyan government documents as well as emails, phone numbers and pictures of passports belonging to officials, Check Point said in a blog post. The secret documents included policy updates and internal intelligence reports from foreign embassies in Libya and Libyan embassies abroad.
Check Point started tracing the hacker after its research team discovered a file that looked suspicious and followed the trail.
“These pages and accounts violated our policies and we took them down after Check Point reported them to us,” Facebook said in an emailed statement. “We are continuing to invest heavily in technology to keep malicious activity off Facebook, and we encourage people to remain vigilant about clicking on suspicious links or downloading untrusted software.”
Haftar’s forces are battling fighters loyal to Libya’s internationally recognized government. His troops were pushed out of a strategic city south of the capital in late June, his biggest setback since he swept the country’s south in early 2019 and launched an offensive in April to seize Tripoli.
The hacker, an Arabic-speaker, used his knowledge of Libya’s political strife to draw Facebook users to more than 30 pages he either commandeered or impersonated, Check Point said. The majority of the pages offered news from cities including the capital, Tripoli, and Benghazi, while others supported political campaigns or military operations.
“This was unique in its scope of actual and potential victims, as well as in the length of the campaign,” Finkelstein said. “It was also sophisticated in its use of phishing topics, topics that used credible knowledge to lure people into following the Facebook pages and then clicking on the links.”