An ongoing cybercriminal campaign is targeting digital marketing and human resources professionals in an effort to hijack Facebook Business accounts using newly discovered data-stealing malware.
Researchers at WithSecure, an enterprise spin-off of security giant F-Secure, discovered the ongoing campaign they dubbed Ducktail and found evidence to suggest a Vietnamese threat actor had been developing and distributing the malware since the latter half of 2021. The added company that the motivations of the operations appear to be purely financially driven.
The threat actor first targets scouts through LinkedIn where he selects employees who are likely to have high-level access to Facebook Business accounts, especially those with the highest level of access.
“We believe that the Ducktail operators carefully select a small number of targets to increase their chances of success and remain undetected,” said Mohammad Kazem Hassan Nejad, a malware researcher and analyst at WithSecure Intelligence. “We have observed individuals with management, digital marketing, digital media and human resources roles in companies to be targeted.”
The threat actor then uses social engineering to convince the target to download a file hosted on a legitimate cloud host, such as Dropbox or iCloud. Although the file contains keywords related to brands, products, and project planning in an attempt to appear legitimate, it contains data-stealing malware that WithSecure says is the first malware they have detected. see specifically designed to hijack Facebook Business accounts.
Once installed on a victim’s system, the Ducktail malware steals browser cookies and hijacks authentic Facebook sessions to steal information from the victim’s Facebook account, including account information, location data, and two-factor authentication codes. The malware also allows the threat actor to hijack any Facebook Business account to which the victim has sufficient access simply by adding their email address to the compromised account, which prompts Facebook to send a link, via email, to the same email address.
“Then the recipient – in this case, the threat actor – interacts with the email link to gain access to that Facebook Business. This mechanism represents the standard process used to grant individuals access to Facebook Business, thus bypassing security features implemented by Meta to protect against such abuse,” Nejad said.
The threat actors then leverage their new privileges to replace the set financial details of the account in order to direct payments to their accounts or to run Facebook Advertising campaigns using funds from the victimized companies.
WithSecure, which shared its research with Meta, said it was “unable to determine the success, or lack thereof” of the Ducktail campaign and could not say how many users may have been affected, but noted that it has not seen a regional pattern. targets Ducktail, with potential victims spread across Europe, the Middle East, Africa and North America.
A Meta spokesperson told TechCrunch in a statement:
We welcome security research into the threats targeting our industry. This is a very hostile space and we know that these malicious groups will still try to avoid our detection. We are aware of these particular scammers, regularly enforce against them, and continue to update our systems to detect these attempts. Because this malware is usually downloaded off the platform, we encourage people to be careful about what software they install on their devices.
