Fake Madgicx Plus and SocialMetrics Extensions Are Hijacking Meta Business Accounts
Cybersecurity researchers have disclosed two new campaigns that are serving fake browser extensions using malicious ads and fake websites to steal sensitive data.
The malvertising campaign, per Bitdefender, is designed to push fake "Meta Verified" browser extensions named SocialMetrics Pro that claim to unlock the blue check badge for Facebook and Instagram profiles. At least 37 malicious ads have been observed serving the extension in question.
"The malicious ads are bundled with a video tutorial that guides viewers through the process of downloading and installing a so-called browser extension, which claims to unlock the blue verification tick on Facebook or other special features," the Romanian cybersecurity vendor said.
But, in reality, the extension – which is hosted on a legitimate cloud service called Box -- is capable of collecting session cookies from Facebook and sending them to a Telegram bot controlled by the attackers. It's also equipped to obtain the victim's IP address by sending a query to ipinfo[.]io/json.
Select variants of the rogue browser add-on have been observed using the stolen cookies to interact with the Facebook Graph API to likely fetch additional information related to the accounts. In the past, malware like NodeStealer has leveraged the Facebook Graph API to collect budget details of the account.
The end goal of these efforts is to sell valuable Facebook Business and Ads accounts on underground forums for profit to other fraudsters, or repurpose them to fuel more malvertising campaigns, which, in turn, leads to more hijacked accounts – effectively creating a self-perpetuating cycle.
The campaign exhibits all the "fingerprints" typically associated with Vietnamese-speaking threat actors, who are known to adopt various stealer families to target and gain unauthorized access to Facebook accounts. This hypothesis is also bolstered by the use of Vietnamese to narrate the tutorial and add source code comments.
"By using a trusted platform, attackers can mass-generate links, automatically embed them into tutorials, and continuously refresh their campaigns," Bitdefender said. "This fits a larger pattern of attackers industrializing malvertising, where everything from ad images to tutorials is created en masse."
The disclosure with another campaign that's targeting Meta advertisers with rogue Chrome extensions distributed via counterfeit websites posing as artificial intelligence (AI)-powered ad optimization tools for Facebook and Instagram. At the heart of the operation is a fake platform named Madgicx Plus.
"Promoted as a tool to streamline campaign management and boost ROI using artificial intelligence, the extension instead delivers potentially malicious functionalities capable of hijacking business sessions, stealing credentials, and compromising Meta Business accounts," Cybereason said.
"The extensions are promoted as productivity or ad performance enhancers, but they operate as dual-purpose malware capable of stealing credentials, accessing session tokens, or enabling account takeover.
The extensions, the first of which is still available for download from the Chrome Web Store as of writing, are listed below -
- Madgicx Plus - The SuperApp for Meta Advertisers (ID: eoalbaojjblgndkffciljmiddhgjdldh) - Published in February 2025 (28 Installs)
- Meta Ads SuperTool (ID: cpigbbjhchinhpamicodkkcpihjjjlia) - Published in March 2025 (11 Installs)
- Madgicx X Ads - The SuperApp for Meta Advertisers (ID: cpigbbjhchinhpamicodkkcpihjjjlia) - Published in March 2025 (3 Installs)
Once installed, the extension gains full access to all websites the user visits, enabling the threat actors to inject arbitrary scripts, as well as intercept and modify network traffic, monitor browsing activity, capture form inputs, and harvest sensitive data.
It also prompts users to link their Facebook and Google accounts to access the service, while their identity information is covertly harvested in the background. Furthermore, the add-ons function similarly to the aforementioned fake Meta Verified extension in that it uses victims' stolen Facebook credentials to interact with the Facebook Graph API.
"This staged approach reveals a clear threat-actor strategy: first capturing Google identity data, then pivoting to Facebook to broaden access and increase the chances of hijacking valuable business or advertising assets," Cybereason said.
