The image of billionaire Elon Musk is being used to target Facebook users in the latest cryptocurrency scam that uses the images of public figures to rob its victims.
The ‘malvertising’ scam, which includes victims in Australia and New Zealand, hijacks the reputations of well-known crypto exchanges to create the guise of legitimate ads, tricking people into downloading malicious software on their devices.
The images of US actor and singer Zendaya and star footballer Christiano Ronaldo have also been used in the scam.
The Australian Federal Police issued a warning over rising crypto exchange impersonation scams in March, saying they had become more common.
These scams rely on the victims trusting that the communication is legitimate, fooling them into parting with their cash.
What’s worrying is that if the malicious site detects suspicious conditions, such as a cybersecurity analyst checking if it’s a scam – it instead displays harmless, unrelated content to evade the detection of most cybersecurity vendors.
The persistent malvertising campaign is being investigated by cybersecurity company Bitdefender Labs, with the evolving threat posing a serious risk by deploying cleverly disguised front-end scripts and custom payloads on users’ devices, all under the guide of legitimate platforms and influencers.
Bitdefender has released a statement about the scam, saying the attackers use advanced evasion tactics, mass brand impersonation, and sophisticated user-tracking methods to bypass conventional defences and maintain a large pool of victims.
Take extra care
Bitdefender urged Facebook users to be extra vigilant and to only download software from vendors’ direct websites, using scam and link-checking tools, update security, be wary of browser restrictions, and report anything suspicious.
Already operating for several months, the malvertising crypto campaign consistently produces new ads, leveraging the imagery and trust associated with cryptocurrency brands, remaining active with fresh ads popping up regularly.
Malware is delivered via covert communication between the malicious website’s front-end and local host — a method that evades detection by most security vendors.
By orchestrating malware deployment through a seemingly harmless intermediary, attackers remain stealthy.
The threat actors use sophisticated anti-sandbox checks, only delivering malware to users who meet specific demographic or behavioural profiles.
Query parameters related to Facebook ads are used to detect legitimate victims, while suspicious or automated analysis environments receive benign content.
Using Meta’s ad network to secure quick financial gains and crypto bonuses, some ads seek to bolster credibility by featuring the image of public figures.
Clicking on of these ads redirects victims to a site that impersonates a known cryptocurrency platform such as Binance, TradingView, ByBit, SolFlare, MetaMask, Gate.io, or MEXC, instructing them to download a desktop client.
Facebook warning
One particularly deceptive instance is a Facebook clone that mirrors TradingView’s official Facebook page.
From the profile pictures to posts and comments touting a free ‘Annual Ultimate Subscription’, everything is fabricated, except for the central buttons that redirect victims to the real Facebook website.
Researchers have uncovered hundreds of Facebook accounts promoting these malware-delivering pages, all pushing financial benefits.
In one notable example, a single page ran over 100 ads in a single day in April.
While many ads are quickly removed, some garner thousands of views before being taken down.
All analysed malware samples had the name ‘installer.msi’ and measured around 800kb.
After installation, the malicious software would open the page of the impersonated entity through msedge_proxy.exe.
Victims also receive a suspicious DLL file that launches a local .NET-based server on ports 30308 or 30303 (in a newer version).
Victims are urged to contact police and report a scam to Scamwatch to help others avoid similar scams.
How users can stay safe:*
1. Scrutinise ads: Be cautious with any ad offering free software or incredible financial gains. Always verify the source before clicking links or downloading content.
2. Use official sources only: Download software directly from the vendor’s website. Examples from this campaign include official pages for TradingView, Binance, and MetaMask.
3. Use dedicated scam and link-checking tools: Bitdefender Scamio and Link Checker can help you verify a website’s legitimacy before you click or share. These tools provide an additional layer of defence by scanning URLs and alerting you to potential scams or malicious content.
4. Keep security software updated: Choose a reputable security solution capable of detecting evolving threats. Regular updates ensure you have the latest protection mechanisms.
5. Beware of browser restrictions: If a page insists on using a specific browser or looks suspiciously polished while being otherwise non-functional, close it immediately.
6. Report suspicious ads: Flag questionable advertisements on Facebook to help disrupt this and future malvertising campaigns.
*Source: Bitdefender Labs
