Profile Stealers Spread via LLM-themed Facebook Ads

Having stolen the access token, the script can query Facebook’s GraphQL API for additional information. The first GraphQL query enumerates the account’s managed pages and information about them, like its business ID, fan count, what tasks the account can perform (analyze, advertise, messaging, moderate, create content, manage), and its verification status.

The second GraphQL query enumerates the account’s business information, like its ID, verification status, the ability to create ad account, sharing eligibility status, and the account creation time.

The last GraphQL query enumerates the account’s advertisement information, like its ID, account status (whether it’s “live”, “disabled”, “unsettled”, “in grace period”, or “closed”), currency, whether it’s prepaid, its ads payment cycle, daily spending limit, amount already spent, account balance, and the account creation time.

The stealer also attempts to get the victim’s IP address. All the stolen information — the aforementioned Facebook cookies, access token, browser’s user agent, managed pages, business account information, and advertisement account information — are concatenated, URL-encoded, base64-encoded, and exfiltrated to a command-and-control C&C server (Figure 12).

Read More HERE