Researchers at Bitdefender have uncovered a deceptive scheme in which Vietnamese-speaking hackers are pushing fake browser extensions—specifically one called SocialMetrics Pro—via malvertising and tutorial videos to steal Facebook Business and Ads account credentials. The extensions falsely promise users a blue verification badge for Facebook/Instagram. Once installed (often via malicious ads or fake sites), the malware harvests session cookies and IP addresses, sending them to a Telegram bot; sometimes, it even queries the Facebook Graph API for further sensitive business‐account data. Verified business accounts are then resold on underground markets and abused to run further malicious ad campaigns.
Sources: TechRadar, Bitdefender, Hacker News
Key Takeaways
– Beware of “verification” bait: Offers of free blue checkmarks or special status via browser extensions are almost always scams, especially when promoted through ads or third-party sites.
– Malware methods include cookie theft and API abuse: Extensions steal session data (cookies), victim IP addresses, and in some cases exploit the Facebook Graph API, increasing the risk of full account takeover.
– Legitimacy is often faked using trusted platforms: The malware is hosted using services like Box, and the campaigns use video tutorials (in Vietnamese in this case), mass-generated advertising content, and other credible-looking materials to appear legitimate.
In-Depth
Hackers are stepping up their game when it comes to tricking users into giving up access to their Meta (Facebook/Instagram) business assets. Bitdefender’s latest research reveals a coordinated campaign launched by Vietnamese-speaking threat actors, using a fake browser extension named SocialMetrics Pro that purportedly offers the blue verification tick for free. With at least 37 separate ads circulating, many of which embed video-tutorials in Vietnamese, unsuspecting users are guided through installing the extension under false pretenses.
What makes these attacks particularly dangerous is not just the initial deception, but the combination of techniques used after installation. First, session cookies from Facebook are stolen; these can allow bad actors to impersonate or fully control a business account. Victim IP addresses are also harvested, and in some versions the malware interacts with the Facebook Graph API to gather even more sensitive information. The attackers then funnel this data via Telegram bots and sometimes sell access to verified business accounts, especially those in good standing with clean ad histories. These accounts are highly valuable, because they can run malicious campaigns with less scrutiny.
A striking detail in this campaign is how it leverages legitimacy to cloak its malicious intents. The malware is hosted on Box—a trusted cloud storage service—which helps the extension appear more credible. The video tutorials, ad creatives, and websites are professionally polished, and are localized (in this case, Vietnamese) to build trust with a target audience. This “industrialization” of malicious content makes the scheme scalable, harder to detect, and more effective.
For content creators, business owners, and anyone managing Meta business assets, the implications are clear: no extension or offer that promises verification should be trusted if it isn’t from Meta itself. Always rely on official channels (Meta’s own site, trusted extension stores), check permissions carefully, enable multi-factor authentication, and monitor account behavior for any suspicious activity. The risk is real: a single misstep could mean losing control of ad spending, reputation, or even revenue.