An ongoing cybercriminal operation is targeting digital marketing and human resources professionals in an attempt to hijack Facebook business accounts using a newly discovered data-theft malware.
Researchers at WithSecure, the enterprise spin-off of security giant F-Secure, On-going campaign discovered They dubbed Ducktail, and found evidence that a Vietnamese threat actor has been developing and distributing malware since late 2021. The firm said that the objectives of the operations appear to be purely financially driven.
The threatening actor first targets through LinkedIn, where it selects employees who are likely to have high-level access to Facebook business accounts, specifically those with the highest level of access.
“We believe that Ducktail operators carefully select certain targets and go unnoticed in order to increase their chances of success,” said Mohamed Kazem Hassan Nejad, a researcher and malware analyst at WithSecure Intelligence. “We have seen individuals with managerial, digital marketing, digital media and human resources roles in target companies.”
The Threat Actor then uses social engineering to persuade the target to download a file hosted on a legitimate cloud host such as Dropbox or iCloud. While the file contains keywords related to brands, products and project planning in an effort to appear legitimate, it contains data-stealing malware that WithSecure says is the first malware they’ve found specifically designed to hijack Facebook business accounts. is designed for.
Once installed on a victim’s system, the Ducktail malware steals browser cookies and hijacks authenticated Facebook sessions to steal information from the victim’s Facebook account, including account information, location data, and two-factor authentication codes. The malware also allows the threat actor to hijack any Facebook business account the victim has sufficient access to by adding their email address to the compromised account, which is sent to Facebook via a link to the same email address. prompts to send.
The recipient — in this case, the threatening actor — then interacts with the emailed link to gain access to that Facebook business. This mechanism is the standard procedure used to give people access to a Facebook business. represents, and thus circumvents the security features implemented by META to protect against such abuse,” Nejad says.
Threat actors then take advantage of their new privileges to alter the prescribed financial details of the account to make payments directly to their accounts or run Facebook advertising campaigns using money from the aggrieved firms.
WithSecure, which shared its research with Meta, said it was “unable to determine the success, or lack thereof” of the DuckTale campaign and could not say how many users were potentially affected, but noted. that it has not seen regional patterns in the targeting of Ducktail, with potential victims across Europe, the Middle East, Africa and North America.
A Meta spokesperson told Meczyki.Net in a statement: “We welcome security research into threats targeting our industry. This is a highly hostile space and we know these malicious groups will continue to try to evade our identities. We are aware of these particular scammers, regularly apply against them, and continue to update our systems to detect these attempts. Since this malware is usually downloaded off-platform, We encourage people to be cautious about what software they install on their devices.”