A new phishing attack called MrTonyScam has been discovered [7], originating from a Vietnamese-based group [1] [2] [3] [7]. This attack targets Facebook Messenger users by sending messages with compressed file attachments, such as RAR and ZIP archives.
Description
These attachments contain a powerful Python-based stealer that aims to take over the targets’ accounts [1]. When the attachment is clicked on, a dropper is deployed that fetches the next-stage from a GitHub or GitLab repository [2] [3] [7]. The payload includes an obfuscated Python-based stealer that steals cookies and login credentials from web browsers [2] [3] [4] [7]. These stolen credentials are then sent to an actor-controlled Telegram or Discord API endpoint [2] [3] [7]. The attacker deletes the stolen cookies [2] [3] [4] [5] [7], logging the victims out of their accounts and changing their passwords to seize control [2] [3] [4] [5].
This campaign has been highly successful [2] [3] [4] [5] [7], infecting approximately 1 out of 250 victims in the last 30 days [3] [5]. Compromises have been reported in various countries [2] [3] [4] [5] [7], including the U.S. [2] [3] [7], Australia [2] [3] [4] [5] [7], Canada [2] [3] [4] [5] [7], France [2] [3] [4] [5] [7], Germany [2] [3] [4] [5] [7], Indonesia [2] [3] [4] [5] [7], Japan [2] [3] [4] [5] [7], Nepal [2] [3] [4] [5] [7], Spain [2] [3] [4] [5] [7], the Philippines [2] [3] [4] [5] [7], and Vietnam [2] [3] [4] [5] [6] [7].
The attackers specifically target Facebook accounts with a good reputation, seller rating [2] [3] [4] [5] [7], and a high number of followers [2] [3] [4] [5] [7], as these accounts can be monetized on dark markets [7]. The attack is similar to previous campaigns targeting Meta Business and Facebook accounts [2], suggesting active working relationships between threat actors and a Vietnamese cybercriminal ecosystem centered around social media platforms like Facebook [2] [3].
The presence of Vietnamese language references in the script’s source code and the inclusion of the Chromium-based browser Coc Coc [6], popular in Vietnam [6], further support the connection to Vietnam [6].
Conclusion
This phishing attack [1] [2] [3] [4] [5] [6] [7], known as MrTonyScam [3] [5], poses a significant threat to Facebook Messenger users worldwide. With a high success rate and compromises reported in multiple countries, it is crucial for users to remain vigilant and take necessary precautions to protect their accounts. Facebook should also enhance its security measures to prevent such attacks and collaborate with law enforcement agencies to track down and prosecute the perpetrators. Additionally, this attack highlights the need for increased cybersecurity awareness and education to mitigate the risks associated with phishing attacks.
References
[1] https://gixtools.net/2023/09/vietnamese-hackers-deploy-python-based-stealer-via-facebook-messenger/
[2] https://thehackernews.com/2023/09/vietnamese-hackers-deploy-python-based.html
[3] https://patabook.com/technology/2023/09/11/vietnamese-hackers-deploy-python-based-stealer-via-facebook-messenger/
[4] https://www.notiulti.com/hackers-vietnamitas-implementan-stealer-basado-en-python-a-traves-de-facebook-messenger/
[5] https://teknomers.com/es/hackers-vietnamitas-implementan-stealer-basado-en-python-a-traves-de-facebook-messenger/
[6] https://www.cyclonis.com/vietnamese-hackers-phish-for-victims-using-messenger/
[7] https://fagenwasanni.com/news/new-phishing-attack-on-facebook-messenger-exploits-fake-and-hijacked-accounts/259696/
