Millions of Facebook Business Accounts Bitten by Python Malware

The MrTonyScam has a surprisingly high success rate, spreading a Python-based stealer to some 100,000 business accounts per week.

Attackers are targeting millions of
Facebook business accounts
with malicious messages, sent via Facebook Messenger from a botnet of fake and
hijacked
personal Facebook accounts. The goal is to spread an info-stealing malware that can intercept browsing sessions and account cookies, and its hitting 100,000
Facebook business accounts
per week, according to researchers.
The Python-based stealer successfully infects about 1.4% of targets — or about one out of 70 of those reached,
Guardio Labs revealed in a blog post
on Sept. 11. Guardio has dubbed the effort the MrTonyScam, based on the name of the administrator of a Telegram channel with which the stealer interacts.
Facebook’s Messenger platform has been heavily abused in the past month to spread endless messages with malicious attachments from a swarm of fake and hijacked personal accounts, Oleg Zaytsev, a Guardio Labs security researcher, wrote in the post.
Indeed, there has been an uptick recently in various threat campaigns aimed at
hijacking Facebook business accounts
, all of which is supporting a thriving business on Telegram dark markets to sell these accounts to cybercriminals to use for further nefarious activity.
We see numerous channels and users offering everything from specific high-value accounts to logs of hundreds and thousands of hijacked business accounts (BM — Business Manager), advertisement accounts with reputation, or even linked payment methods and credits (Agency Accounts), Zaytsev wrote.
Some of the tactics and techniques of the campaign match previous ones used by a Vietnam-based threat actor, according to the research — with the bulk of the victims of the far-reaching campaign being based in North America, Europe, Asia, and Australia.
From a technical standpoint, the attacks messages contain a compressed stealer payload that targets the victims’ installed browsers to lift session cookies; these are then sent to threat actors IM channels in a swift and effective operation, Zaytsev wrote.
He added that there are several aspects to the campaign that appear to contribute to its unusual rate of success — despite requiring action on the part of message recipients. One is the ability for messages — which vary in content but share similar context — to slip past spam detectors that scan for mass mailings. For instance, some of the messages are complaints addressing the page for violating policies, while others may include questions related to a product that is likely advertised by the target account. This variation and the use of different filenames, as well as the addition of Unicode characters to different words, make each message unique, Zaytsev wrote.
The messages also contain a link that appears to be relevant to the content sent in the message, such as a link to product to check its availability. If clicked, the link downloads a
classic stealer
payload archived with RAR or zip formats, which then uses a multistep process and five layers of obfuscation to hide its content, Zaytsev wrote. The payload also is generated on the fly to avoid static detection.
The attack flow is a combination of techniques, free/open platform abuse, as well as numerous obfuscation and hiding methods — summing to a quite complex flow, according to the researcher.
Once executed, the simple, straightforward Python script extracts all cookies and login data (saved usernames and passwords) from several popular browsers it looks for on the victims computer, he explained in the post. All this together is sent to a Telegram channel using Telegrams/Discord bot API, which is a common practice among scammers.
The payloads final act is to delete all cookies after stealing them, effectively locking victims out of their accounts. This gives the scammers time to hijack their session and replace the password so victims cant revoke the stolen session or change the password themselves, Zaytsev said.
MrTonyScam and other campaigns targeting
Facebook
business users demonstrate how threat actors continue to expose security loopholes in both modern browsers — which continue to store easily decrypted passwords and user cookies — as well as social media services like Facebook, he said.
Threat actors will always find new ways to get to us, hijack social accounts, and abuse legitimate services for their malicious deeds, Zaytsev wrote. Meanwhile, Facebook and other social media services still fail to detect account hijacking in real time, while the
Dark Web cybercriminal ecosystem
thrives and
attracts
more and more threat actors, he wrote.
These threats demand even more vigilance on the part of users to consider with suspicion any and all messages from users they dont recognize, as well as the use of more layers of security detection to counter malicious messages before they reach a social-media inbox, Zaytsev advised.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Millions of Facebook Business Accounts Bitten by Python Malware