Threat actors are using fake job advertisements on Facebook to target job seekers, tricking them into downloading malware onto their computers [5]. This campaign involves a new Windows-based stealer malware called Ov3r_Stealer, which exploits PDF files and internet links to infect systems [4].

Description

The attack begins with a weaponized PDF file shared on a fake Facebook account and Facebook ads for digital advertising jobs [1] [6]. When users click on the embedded “Access Document” button [6], they are served an internet shortcut file that leads to the execution of a PowerShell loader [6], ultimately launching the Ov3r_Stealer malware [5] [6]. The stolen information [1] [2] [4] [6], including personal details like credentials, crypto wallets [1] [6], IP address-based location [6], hardware info [1] [6], passwords [1] [5] [6], cookies [6], credit card information [5] [6], browser extensions [6], Microsoft Office documents [6], and a list of installed antivirus products [6], is then sent to a Telegram channel monitored by the threat actor [1] [6].

Researchers have found similarities between Ov3r_Stealer and another stealer called Phemedrone, suggesting that Phemedrone may have been repurposed and renamed [1] [5] [6]. Additionally, threat actors have been advertising access to law enforcement request portals by exploiting credentials obtained from infostealer infections [6]. There is concern that stolen information may be sold on the market [4], and there is potential for the malware to evolve further in the future [4].

To stay safe while job hunting on social media platforms, it is recommended to use trusted job sites like Indeed or ZipRecruiter [5], or utilize LinkedIn instead of Facebook [5]. It is important to avoid downloading files from unknown senders and to exercise caution when sharing personal information. Installing antivirus software and identity theft protection services can provide additional protection against such threats.

The Ov3r_Stealer malware was initially spread through a Facebook job advertisement for an Account Manager position [3]. Users who clicked on weaponized links in the ad were directed to a malicious discord content delivery URL [3], which initiated the attack [3]. The attackers also employed other distribution methods [3].

Conclusion

To protect against these threats [4], it is crucial to keep cyber defenses up-to-date and follow secure practices [4]. The impact of this campaign can be significant, with stolen information potentially being sold on the market [4]. It is important for job seekers to be cautious and use trusted platforms when searching for employment. The evolving nature of malware like Ov3r_Stealer highlights the need for ongoing vigilance and proactive measures to mitigate future risks.

References

[1] https://www.redpacketsecurity.com/beware-fake-facebook-job-ads-spreading-ov3r-stealer-to-steal-crypto-and-credentials/
[2] https://news.cloudsek.com/2024/02/malicious-facebook-job-ads-used-as-bait-for-ov3rstealer-malware-attacks/
[3] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-spiderlabs-uncovers-ov3r
stealer-malware-spread-via-phishing-and-facebook-advertising/
[4] https://pledgetimes.com/ov3r_stealer-malware-in-fake-job-ads-on-facebook/
[5] https://www.tomsguide.com/computing/malware-adware/fake-facebook-job-ads-are-using-malware-to-syphon-off-credit-card-data-and-passwords-dont-fall-for-this
[6] https://thehackernews.com/2024/02/beware-fake-facebook-job-ads-spreading.html