Even as much attention is focused on problems with Meta Platform Inc.’s personal use, other dangers involving business social media accounts are emerging as well.

A new report from G Data Software Tuesday about a recent attack using malware-laced Facebook ads shows how it can happen and the depths of the danger, and it offers some suggestions on potentially how to avoid future situations.

The report describes the takeover of a business account. “Instead of creating accounts themselves and risking a block on their own accounts, criminals hijack other people’s business accounts for their own purposes,” wrote Tim Berghoff, a security evangelist with the company. He documented the numerous steps involved in the attack G Data witnessed on a marketing agency that took place in July.

The affair began with a message inquiring about a potential marketing partnership with an actual handbag maker. That led to a password-protected ZIP archive.

When expanded, only one of the many files in the archive contained malicious code, which was used to steal a browser session cookie. That was sent to a Telegram bot and also installed malware on the victim’s personal computer that would establish a persistent connection. As a result, the malware would be activated even after rebooting the PC.

The cookie is used to connect to the agency’s Facebook account, which the attackers then proceeded to use to book various ad campaigns billed to the agency, and eventually to change the owner’s password and phone number on the account to complete the takeover. The criminals had access to the agency’s account for at least 40 days.

The attack also had multiple victims. Besides the agency itself, there also was the handbag maker who now had to fight potential “brandjacking” as well as deal with the people who viewed the malicious ad and subsequently lost their own funds.

This case is just one of many other types of business ad fraud schemes. Check Point Software Technologies Ltd.’s blog noted malware-laced ads for fake ChatGPT and other AI services earlier this summer. And Malwarebytes noted a “resurgence in sponsored posts and accounts that impersonate Facebook’s own Ads Manager.” Victims were lured into using the phony manager portals and subsequently had their login credentials stolen. Techcrunch reported similar fake Facebook Ad Manager scams on the rise.

How to fight ad hijacking

There are several things that businesses can do to protect their social media accounts. First is never to choose the “save a login on this machine” option that’s used to create a session cookie, and log out completely of any account when finished.

Companies also should use multifactor authentication on all accounts, and when possible use hardware tokens such as Yubico or passwordless keys. They should never use the built-in password saving feature of a browser — which can be disabled in Google Chrome, for example, by clicking on this setting. Instead, it’s best to employ a third-party password manager or a single sign-on product that creates unique and long passwords.

It’s advisable to be skeptical and not click on any links in any messages. Finally, companies should be aware of account change messages from Facebook and other social networks and ensure that they originate with legitimate users.

Image: Chetraruc/Pixabay