New Phishing Attack, Node Stealer 2.0 Steal Sensitive Data of Facebook Business Accounts

Illustration of phishing Node Stealer 2.0 (photo: Palo Alto Network)

JAKARTA - Recently, Unit 42 researchers from Palo Alto Networks discovered a previously unannounced phishing attack, namely Node Stealer 2.0.

According to the findings, this attack began in December 2022. Similar to the Node Stealer variant reported by Meta last May, Node Stealer 2 is an advanced piece of malware for stealing sensitive information, bringing a new dimension to the cyberthreat landscape.

A new variant of the Node Stealer malware attack emerged with two variants written in the Python programming language and having the ability to steal cryptocurrency, download and take over business accounts on Facebook.

"Indonesia is the third largest Facebook user country in the world, with the number of users reaching 119.9 million as of January 2023. This large number of users has the potential to put the Indonesian people at risk of being exposed to serious threats due to the presence of the NodeStealer malware," said Vicky Ray, Director at Unit 42 Cyber ​​Consulting & Threat Intelligence, Asia Pacific & Japan at Palo Alto Networks.

As well as having a direct impact on Facebook business accounts, Vicky also said that this malware also steals user credentials from browsers, which can be used to carry out follow-up attacks.

"We call on all organizations to evaluate their protection policies and implement the infiltration indicators (IoC) included in our report to address this threat," he added.

The main trigger for the deployment of Node Stealer 2.0 was a phishing attack that focused on advertising content used by businesses, which allowed threat actors to steal browser cookies to hijack business accounts on the platform.

Threat actors use multiple pages as well as Facebook users to upload information, luring victims to download links from trusted cloud file storage providers. After clicking the link, a ZIP file containing an information-stealing malicious program will be downloaded to the device.

"Owners of Facebook business accounts are encouraged to use strong, complex and hard-to-guess passwords and activate multi-factor authentication," concluded Vicky.