Skip to Content
Security & privacy

These Facebook accounts spread malware for years, affecting thousands

Despite pulling billions of fake accounts in May, Facebook missed about three dozen fake accounts that had been spreading malware for five years. It’s only now that Facebook found out about them and took them down.

They were discovered by an outside cybersecurity company. Through links in postings, the accounts spread malicious source code and bad Android apps to thousands of Facebook users on desktops and mobile phones.

We’ll tell you how the bad accounts operated, what they did and how they were finally uncovered. We also offer ways for you to deal with Facebook headaches.

‘Operation Tripoli’ hits Facebook

More than 30 accounts engaged in an elaborate campaign to spread Remote Access Trojans (RATs) were taken off Facebook recently. Dubbed “Operation Tripoli,” the accounts purported to provide news about the ongoing political strife in Libya.

“Operation Tripoli” was uncovered by researchers at cybersecurity vendor Check Point Research. They say some of the accounts had been operating on Facebook since 2014. The company alerted Facebook to the dangerous fake accounts.

The researchers found some of the accounts had as many as 100,000 followers. The ruse worked by luring people to click links “and downloading files that are supposed to inform about the latest airstrike in the country or the capturing of terrorists, but instead contain[ed] malware.”

Check Point Research states in a blog post that its investigation began when they came across a Facebook page imitating the commander of Libya’s National Army, Khalifa Haftar. It was through the fake Hafter account that researchers uncovered “Operation Tripoli.”

“Through this Facebook page we were able to trace this malicious activity all the way down to the attacker responsible for it and find out how they have been taking advantage of the social networking platform for years, compromising legitimate websites to host malware and, in the end, successfully made their way to tens of thousands of victims mainly from Libya, but also in Europe, the United States and Canada,” according to Check Point Research’s blog post.

The fake Haftar Facebook page was created in early April and quickly accumulated 11,000 followers. The page shared posts with political themes and included URLs that lured users to download files that purportedly contained leaks from Libya’s intelligence agencies.

Instead, the links would download malicious files onto unsuspecting victims devices. Operation Tripoli used open-source tools and infected victims with RATs such as Houdini, Remcos and Spy Note, often used in run-of-the-mill hack attacks.


Related: Facebook (finally) blocks quizzes that mine your personal info


Unraveling the Facebook campaign

Check Point Research found the Haftar page’s web address had misspelled Haftar’s name. That led researchers to a blogger who has been active since 2015.

By following a trail of misspelled Arabic words and incorrect phrasing, researchers began linking several fake Facebook accounts to the blogger.

“Looking up some combinations of the incorrect phrasing led us to numerous posts across a network of Facebook pages that repeat the same unique mistakes,” Check Point Research stated.

The pattern of misspellings and incorrect phrases led to the discovery of more than 30 Facebook pages that had been spreading malicious links since 2014. Some Facebook accounts were legitimate at some point but were later taken control of by the hacker.

It appears the hacker chose accounts linked to Libya in order to attract thousands of Libyans in their country and across the world interested in the military situation there. The hacker appeared to have no political viewpoint and only seemed interested in spreading malware and sowing chaos.

Because the hacker operated for five years, researchers were able to trace his evolution from a hacker who simply defaced websites to one who ran a more sophisticated operation.

Eventually, researchers were led to the name Dexter Ly. Based on the same pattern of mistakes, the researchers concluded Dexter Ly, a Libyan, was the hacker responsible for all the fake accounts.

More alarmingly, Dexter Ly’s account shared his malicious activity and even published secret documents from Libya’s government, Libyan officials’ phone numbers and email addresses and even screenshots of passport photos.


Related: 5 things you need to change in your Facebook account right now


Fed up with Facebook

Facebook is no stranger to housing bad actors ready to launch malware attacks, including one that stole users’ Facebook credentials. And let’s not forget the Cambridge Analytica mess that grabbed millions of users’ personal information. Oh, and then there are all the data breaches.

So, what to do with Facebook? Kim Komando offers these detailed options on breaking up with Facebook, taking a break from it and taking back control. Kim has step-by-step advice for questions such as:

  • Can’t give it up? At least get rid of third-party access and data collection
  • Don’t want to delete it but want a break? Deactivate!
  • Fed up with the privacy invasion? You can delete your Facebook account, but what does that mean?
  • How do I take control of my information?

Ask me your digital question!

Navigating the digital world can be intimidating and sometimes downright daunting. Let me help! Reach out today to ask your digital question. You might even be on my show!

Ask Me