JERUSALEM • In one of the largest malware campaigns to exploit Facebook, a suspected Libyan hacker lured tens of thousands of people into exposing personal information and granting access to their personal devices, according to Israeli cyber-security company Check Point Software Technologies.
A Facebook page impersonating Khalifa Haftar, the head of a militia fighting Libya's internationally recognised government, was Check Point's first clue to a malware attack that had been going on for five years, the company said.
Repetitive spelling mistakes in Arabic that suggested the user had dyslexia helped researchers track other pages set up by the hacker, who used an avatar called Dexter Ly, the company added.
"Facebook is not widely used to infect people with malware," said Mr Lotem Finkelstein, Check Point's head of research. "This is probably one of the biggest malware campaigns using the platform."
While Facebook itself was not breached, according to Check Point, the hack highlighted how social media platforms can be abused to carry out attacks.
About 50,000 users from North Africa, Europe and the United States clicked on infected links that included alleged reports from Libyan intelligence units exposing Qatar or Turkey as conspiring against Libya, or bogus photos of a purportedly captured pilot who tried to bomb Libya, according to Check Point.
Others were supposed to lead to mobile recruitment sites for Haftar's armed forces. Facebook said it could not confirm the figures.
Previous incidents of Facebook users hit by malware attacks included a 2017 hack that used the platform's Messenger feature to infect computers with malware that mined cryptocurrency.
Facebook and other social media companies have also come under assault for failing to curb fake news on their platforms. Facebook has said it removed 2.2 billion fake accounts in the first quarter alone.
The suspected Libyan hacker has since shared sensitive information culled through the attack, including secret Libyan government documents as well as e-mails, phone numbers and pictures of passports belonging to officials, Check Point said in a blog post.
The secret documents included policy updates and internal intelligence reports from foreign embassies in Libya and Libyan embassies abroad.
Check Point started tracing the hacker after the company's researchers found a file that looked suspicious and followed the trail.
"These pages and accounts violated our policies and we took them down after Check Point reported them to us," Facebook said in an e-mailed statement.
The hacker, an Arabic speaker, used his knowledge of Libya's political strife to draw Facebook users to more than 30 pages that he either commandeered or impersonated, Check Point said.
The majority of the pages offered news from cities such as the capital Tripoli and Benghazi, while others supported political campaigns or military operations.
"This was unique in its scope of actual and potential victims, as well as in the length of the campaign," Mr Finkelstein said.