An alleged hacker from Libya is suspected for conducting one of the biggest malware operations using Facebook to access the personal information of thousands of users mainly in Libya. The hacker apparently also impersonated one of Libya's National Army Commanders, Khalifa Haftar on Facebook and used a network of Facebook pages and groups to spread their malware.

The discovery was made by researchers at Check Point Software Technologies who further explained that the hacker tricked targeted Facebook users into clicking on links and files posted on both fake and legitimate pages and groups that would also end up downloading malware.

"Our investigation started when we came across a Facebook page impersonating the commander of Libya’s National Army, Khalifa Haftar. In addition to being a Field Marshal, Haftar is a prominent figure in Libya’s political arena and has had major roles as a military leader in the country’s ongoing civil war. Through this Facebook page we were able to trace this malicious activity all the way down to the attacker responsible for it and find out how they have been taking advantage of the social networking platform for years, compromising legitimate websites to host malware and, in the end, successfully made their way to tens of thousands of victims mainly from Libya, but also in Europe, the United States and Canada."

One of the posts by the hacker promising an army registration app but was instead malware.

What seems to have compelled some Facebook users to click on the links is that some of the posts claimed claimed to be leaks containing documents exposing countries such as Qatar and Turkey for allegedly conspiring against Libya. In some cases the links promised photos of a captured pilot that tried to bomb Libya's capital city, Tripoli. Given the tense situation in Libya since the assassination of previous leader, Moummar Gadhafi, such news and posts generate a lot of interest on Facebook among most Libyans.

In some cases, impersonating the National Army Commander, some of the links posted by the hacker in various Facebook groups and pages said they were for mobile apps that are intended for Libyans interested in joining the army, except they were leading to malware meant to steal user data.

"By looking up the unique mistakes, we were able to find more than 30 Facebook pages that have been spreading malicious links since at least 2014. Some of those pages are extremely popular, have been active for many years, and are followed by more than 100K users. Below are the five most popular Facebook pages that used in this attack, and the amount of followers each one has."

Source: CheckPoint Technologies.

The hacker apparently also used some Russian and Libyan companies' websites that they'd compromised to host some of the malware so that users would not be suspicious when downloading from the apps from those websites.

This all highlights the importance of basic Internet security education for all web users and more importantly being vigilant and alert before clicking on any unkown links on the web.

Share this article via: