Counterfeit Madgicx Plus and SocialMetrics extensions hijacking Meta business accounts

Cybersecurity researchers have revealed two new campaigns that distribute fake browser extensions through malicious advertisements and counterfeit websites to steal sensitive data. The first campaign, identified by Bitdefender, promotes a fraudulent “Meta Verified” browser extension called SocialMetrics Pro, which falsely claims to unlock the blue check badge for Facebook and Instagram profiles. At least 37 malicious ads have been detected promoting this extension. These ads are accompanied by a video tutorial that instructs viewers on how to download and install the extension, which purports to unlock special features on Facebook. However, the extension, hosted on a legitimate cloud service called Box, is designed to collect session cookies from Facebook and transmit them to a Telegram bot controlled by the attackers.

Additionally, variants of this rogue browser add-on have been observed using the stolen cookies to interact with the Facebook Graph API, potentially retrieving further account information. The ultimate goal of these operations is to sell valuable Facebook Business and Ads accounts on underground forums for profit or to repurpose them for additional malvertising campaigns, creating a self-perpetuating cycle of account hijacking. The campaign exhibits characteristics typically associated with Vietnamese-speaking threat actors, who are known to utilise various stealer families to gain unauthorised access to Facebook accounts. This theory is supported by the use of Vietnamese in the tutorial narration and source code comments. Furthermore, researchers noted that attackers can mass-generate links and continuously refresh their campaigns by leveraging trusted platforms, fitting into a broader trend of industrialised malvertising.

The second campaign targets Meta advertisers with rogue Chrome extensions distributed via counterfeit websites masquerading as artificial intelligence-powered ad optimisation tools for Facebook and Instagram. Central to this operation is a fake platform named Madgicx Plus. This extension is marketed as a tool to enhance campaign management and improve return on investment using artificial intelligence. In reality, it delivers malicious functionalities capable of hijacking business sessions, stealing credentials, and compromising Meta Business accounts. These extensions are presented as productivity or ad performance enhancers, but they function as dual-purpose malware designed to steal sensitive information.