CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Fake Meta Verified and Madgicx Extensions Target Meta Business Accounts

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

Two campaigns are distributing fake browser extensions to steal Meta Business accounts. The first campaign uses malvertising to push fake 'Meta Verified' extensions, while the second targets Meta advertisers with rogue Chrome extensions pretending to be AI-powered ad optimization tools. The extensions steal session cookies, credentials, and interact with the Facebook Graph API to hijack accounts. The attacks are linked to Vietnamese-speaking actors and aim to sell hijacked accounts on underground forums. The fake 'Meta Verified' extensions are hosted on Box and use Telegram bots to exfiltrate data. The Madgicx Plus extensions are available on the Chrome Web Store and have been installed by multiple users. Both campaigns exhibit sophisticated techniques to industrialize malvertising and account hijacking.

Timeline

  1. 11.09.2025 12:05 πŸ“° 1 articles Β· ⏱ 6d ago

    Fake Madgicx Plus and SocialMetrics Extensions Target Meta Business Accounts

    Two campaigns distributing fake browser extensions to steal Meta Business accounts have been identified. The first campaign uses malvertising to push fake 'Meta Verified' extensions, while the second targets Meta advertisers with rogue Chrome extensions. The extensions steal session cookies, credentials, and interact with the Facebook Graph API to hijack accounts. The attacks are linked to Vietnamese-speaking actors and aim to sell hijacked accounts on underground forums. The fake 'Meta Verified' extensions are hosted on Box and use Telegram bots to exfiltrate data. The Madgicx Plus extensions are available on the Chrome Web Store and have been installed by multiple users. Both campaigns exhibit sophisticated techniques to industrialize malvertising and account hijacking.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids

A fraudulent ad operation, SlopAds, has been identified, exploiting 224 Android apps to generate 2.3 billion ad bids daily. The apps, collectively downloaded 38 million times across 228 countries, use steganography and hidden WebViews to create fraudulent ad impressions and clicks. The operation was disrupted after Google removed the offending apps from the Play Store. The SlopAds campaign is notable for its sophisticated tactics, including conditional fraud execution and the use of AI-themed services for command and control. The fraudulent behavior is triggered only when apps are downloaded via ad clicks, making detection more challenging. The campaign's infrastructure includes multiple domains and a complex feedback loop designed to evade security researchers. The campaign's highest concentration of ad impressions originated from the United States (30%), followed by India (10%) and Brazil (7%).

Open in new tab

VS Code Marketplace Flaw Allows Reuse of Deleted Extension Names

A flaw in the Visual Studio Code Marketplace allows threat actors, notably WhiteCobra, to republish deleted extensions under the same names. This vulnerability was discovered after identifying a malicious extension named "ahbanC.shiba" that mimicked previously flagged extensions. The flaw enables attackers to reuse names of removed extensions, posing a risk to software supply chain security. The malicious extensions act as downloaders, retrieving a PowerShell payload that encrypts files and demands Shiba Inu tokens. This issue highlights the need for secure development practices and proactive monitoring of software repositories. WhiteCobra has targeted VSCode, Cursor, and Windsurf users by planting 24 malicious extensions in the Visual Studio marketplace and the Open VSX registry. The campaign is ongoing as the threat actor continuously uploads new malicious code to replace the extensions that are removed. The group is responsible for the $500,000 crypto-theft in July, through a fake extension for the Cursor editor.

Open in new tab