Facebook shut down malware out of China that stole user credentials to serve ads for diet pills, sexual health products and counterfeit goods including designer handbags, shoes and sunglasses. The hackers used the consumer’s associated payment method to purchase the ads, at the cost to victims of $4 million. The social media company first exposed these attacks in 2018 and traced them to ILikeAd Media International, filing a civil suit against the firm and the two Chinese nationals who allegedly developed the malware.

Wired reports the malware, dubbed SilentFade, works via some “novel” methods including “proactively blocking a user’s notifications so the victim wouldn’t be aware that anything was amiss.” Facebook malware researcher Sanchit Karve stated the company “first discovered SilentFade in December 2018 when a suspicious traffic spike across a number of Facebook end points indicated a possible malware-based account compromise attack for ad fraud.”

Although the hackers couldn’t access credit card numbers, they were able to access payments methods once they were inside an account. In the 2018 attack, Facebook reimbursed “an unspecified number of users for the $4 million in fraudulent ad charges.”

Users would download SilentFade when it was bundled with “pirated copies of name-brand software.” The malware would then search for “special Facebook cookies in Chrome, Firefox, and other popular browsers,” specifically for “session tokens” that would give them an easy way to enter a user’s Facebook account without login credentials.

To fool Facebook, hackers would “even set up their systems to appear to be in the same general region that the victim was in when they generated their session token.” Attackers used other tricks to exploit vulnerabilities, including, said Facebook director of product manager Rob Leathern, “a variety of cloaking mechanisms and traffic redirection to hide their traces.” He added that although Facebook has teams to catch these ploys, “it’s challenging to do so in an automated way.”

Facebook researchers reported that, “it’s not totally clear what happened to users who clicked the malicious ads” but it appears that “the hackers really were simply trying to monetize their scam to sell counterfeit goods … [or possibly] that the actors behind SilentFade got a commission from other vendors for helping them make sales.” Facebook patched SilentFade’s ability to suppress notifications, which led to a “marked drop-off” in its use, but “variants have also been used to target other large tech platforms, including Twitter and more recently Amazon.”

A few months before Facebook first noted SilentFade, security firm Radware published its discovery of a “different Facebook credential-harvesting campaign that Facebook now says was created by the same China-based actor” and was “distributed through phishing emails.” The malware, Stresspaint, was bundled with a drawing application, Relieve Stress Paint, and Radware found that, “in less than five days the attackers had infected more than 40,000 targets.”

Radware product manager Adi Raff noted that, “the group itself seems very sophisticated.” “It’s been active for almost four years, and it’s developed a number of different variations of malware with different capabilities,” he said.