Beware: Fake Facebook Job Ads Spreading 'Ov3r_Stealer' to Steal Crypto and Credentials

A new campaign has been uncovered by Trustwave SpiderLabs where actors are using Facebook job advertisements to trick unsuspecting end users into installing a novel Windows-based stealer malware codenamed Ov3r_Stealer. For its part, Ov3r_Stealer is capable of siphoning IP address-based location, hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Microsoft Office documents, and a list of antivirus products installed on the compromised host. These details could be used to conduct account compromises, siphon funds, and launch further targeted attacks.

Security Officer Comments:
According to researchers, these advertisements are impersonating individuals like Amazon CEO Andy Jassy to attract potential job seekers. The listings include a URL-shortened link to masquerade the destination address. Taking a closer look, this link leads the victim to a DocuSign document hosted on Discord’s content delivery network, which once executed initiates a control panel item (.CPL) file to retrieve a Powershell loader from a GitHub repository, ultimately leading to the launch of Ov3r.Stealer

Suggested Corrections:
Job seekers should avoid clicking on advertisements on Facebook, especially those that incorporate shortened URL links. While these posts can help bring attention to potential job openings, users should go the to company’s official site to verify the authenticity of these listings, and proceed to directly apply on the site if interested.