SilentFade: unveiling Chinese malware abusing Facebook ad platform

Sanchit Karve (Facebook) & Jennifer Urgilez (Facebook)
live only
17:00 UTC on Day 2
THURSDAY 01 OCTOBER
In this talk we will uncover a Chinese ecosystem that uses three distinct malware families to target Facebook users and commit ad fraud. One of these families, SilentFade, compromised Facebook accounts and caused ad-fraud related damages.

These malware families were initially discovered in December 2018, when a suspicious traffic spike across a number of Facebook endpoints indicated a possible malware-based account compromise attack. Our investigation uncovered a number of interesting techniques used to compromise people with the goal to commit ad fraud. The attackers primarily ran malicious ad campaigns, often in the form of advertising pharmaceutical pills and spam with fake celebrity endorsements.

The attackers also created detection challenges. They cloaked their landing pages and made purchases appear valid by using the legitimate credit cards and PayPal accounts linked to the compromised user accounts. In December 2019, as a result of an extensive investigation, Facebook pursued legal action against the responsible parties.

Industry investigators are rarely able to see an end-to-end picture of credential compromise directly leading to abuse on a particular platform. However, in this talk we will provide that end-to-end picture. We will dive deep into the full attack cycle used by this actor group and look at the inner workings of the SilentFade malware, the exploit it relied on, its two malware cousins, the ads run from compromised accounts, and the cloaking elements they used to hide. We will also shed light on the challenges involved in detecting and remediating malware compromised accounts from the perspective of a web service that typically has no control over the compromised endpoints that access these Internet services.
Sanchit Karve
Facebook Sanchit Karve is a malware researcher and security engineer at Facebook. Prior to that he was fighting malware in McAfee Labs' Threat Intelligence & Escalations team. He holds a Master's degree in computer science from Oregon State University and was awarded Virus Bulletin's Péter Szőr Award for best technical research in 2015 for his work on the Beebone botnet which facilitated its takedown by global law enforcement agencies earlier that year. You can find him in his spare time binge-gaming RPGs, hiking aimlessly across the Bay Area, or wherever heavy metal gigs take him.
Jennifer Urgilez
Facebook Jennifer Urgilez is an information security analyst at Facebook focusing on eCrime and account security threats. Prior to this, she served as a cybercrime subject matter expert in public service, where she focused on priority malware campaigns impacting critical infrastructure. She holds a Master’s degree in cybersecurity from Carnegie Mellon University and a political science degree from Yale. During her spare time she enjoys hiking.
arrow left Back

SilentFade: unveiling Chinese malware abusing Facebook ad platform

17:00 - 17:30 UTC Thu 1 Oct 2020
Sanchit Karve (Facebook) & Jennifer Urgilez (Facebook)
In this talk we will uncover a Chinese ecosystem that uses three distinct malware families to target Facebook users and commit ad fraud. One of these families, SilentFade, compromised Facebook accounts and caused ad-fraud related damages.

These malware families were initially discovered in December 2018, when a suspicious traffic spike across a number of Facebook endpoints indicated a possible malware-based account compromise attack. Our investigation uncovered a number of interesting techniques used to compromise people with the goal to commit ad fraud. The attackers primarily ran malicious ad campaigns, often in the form of advertising pharmaceutical pills and spam with fake celebrity endorsements.

The attackers also created detection challenges. They cloaked their landing pages and made purchases appear valid by using the legitimate credit cards and PayPal accounts linked to the compromised user accounts. In December 2019, as a result of an extensive investigation, Facebook pursued legal action against the responsible parties.

Industry investigators are rarely able to see an end-to-end picture of credential compromise directly leading to abuse on a particular platform. However, in this talk we will provide that end-to-end picture. We will dive deep into the full attack cycle used by this actor group and look at the inner workings of the SilentFade malware, the exploit it relied on, its two malware cousins, the ads run from compromised accounts, and the cloaking elements they used to hide. We will also shed light on the challenges involved in detecting and remediating malware compromised accounts from the perspective of a web service that typically has no control over the compromised endpoints that access these Internet services.
Sanchit Karve
Facebook Sanchit Karve is a malware researcher and security engineer at Facebook. Prior to that he was fighting malware in McAfee Labs' Threat Intelligence & Escalations team. He holds a Master's degree in computer science from Oregon State University and was awarded Virus Bulletin's Péter Szőr Award for best technical research in 2015 for his work on the Beebone botnet which facilitated its takedown by global law enforcement agencies earlier that year. You can find him in his spare time binge-gaming RPGs, hiking aimlessly across the Bay Area, or wherever heavy metal gigs take him.
Jennifer Urgilez
Facebook Jennifer Urgilez is an information security analyst at Facebook focusing on eCrime and account security threats. Prior to this, she served as a cybercrime subject matter expert in public service, where she focused on priority malware campaigns impacting critical infrastructure. She holds a Master’s degree in cybersecurity from Carnegie Mellon University and a political science degree from Yale. During her spare time she enjoys hiking.