SilentFade: unveiling Chinese malware abusing Facebook ad platform

Thursday 1 October 16:30 - 17:00, Green room

Sanchit Karve (Facebook)
Jennifer Urgilez (Facebook)




In this talk we will uncover a Chinese ecosystem that uses three distinct malware families to target Facebook users and commit ad fraud. One of these families, SilentFade, compromised Facebook accounts and caused ad-fraud related damages.

These malware families were initially discovered in December 2018, when a suspicious traffic spike across a number of Facebook endpoints indicated a possible malware-based account compromise attack. Our investigation uncovered a number of interesting techniques used to compromise people with the goal to commit ad fraud. The attackers primarily ran malicious ad campaigns, often in the form of advertising pharmaceutical pills and spam with fake celebrity endorsements.

The attackers also created detection challenges. They cloaked their landing pages and made purchases appear valid by using the legitimate credit cards and PayPal accounts linked to the compromised user accounts. In December 2019, as a result of an extensive investigation, Facebook pursued legal action against the responsible parties.

Industry investigators are rarely able to see an end-to-end picture of credential compromise directly leading to abuse on a particular platform. However, in this talk we will provide that end-to-end picture. We will dive deep into the full attack cycle used by this actor group and look at the inner workings of the SilentFade malware, the exploit it relied on, its two malware cousins, the ads run from compromised accounts, and the cloaking elements they used to hide. We will also shed light on the challenges involved in detecting and remediating malware compromised accounts from the perspective of a web service that typically has no control over the compromised endpoints that access these Internet services.

 

 

Sanchi-Karve-web.jpg

Sanchit Karve

Sanchit Karve is a malware researcher and security engineer at Facebook. Prior to that he was fighting malware in McAfee Labs' Threat Intelligence & Escalations team.

He holds a Master's degree in computer science from Oregon State University and was awarded Virus Bulletin's Péter Szőr Award for best technical research in 2015 for his work on the Beebone botnet which facilitated its takedown by global law enforcement agencies earlier that year. You can find him in his spare time binge-gaming RPGs, hiking aimlessly across the Bay Area, or wherever heavy metal gigs take him.

 
 

Jennifer Urgilez

Jennifer Urgilez is an information security analyst at Facebook focusing on eCrime and account security threats. Prior to this, she served as a cybercrime subject matter expert in public service, where she focused on priority malware campaigns impacting critical infrastructure. She holds a Master’s degree in cybersecurity from Carnegie Mellon University and a political science degree from Yale. During her spare time she enjoys hiking.


Back to VB2020 Programme page

Other VB2020 papers

Keynote address (TBA)

Hunting for Android 1-days: analysis of rooting ecosystem

Eugene Rodionov (Google)
Richard Neal (Google)
Lin Chen (Google)

Operation LagTime IT: colourful Panda footprint

Fumio Ozawa (NTT Security)

Shogo Hayashi (NTT Security)

Rintaro Koike (NTT Security)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.