Digital marketing and human resources professionals are being targeted by a cybercriminal operation that is trying to hijack Facebook Business accounts.
Researchers at WithSecure, the enterprise spin-off of security giant F-Secure, discovered the ongoing campaign they dubbed Ducktail, and found evidence to suggest that a Vietnamese threat actor has been developing and distributing the malware since the latter half of 2011. The motives of the operations seem to be purely financial.
The threat actor begins to target employees with high-level access to Facebook Business accounts by searching for them on the professional networking site.
According to WithSecure Intelligence, the Ducktail operators carefully select a small number of targets to increase their chances of success. Individuals with managerial, digital marketing, digital media, and human resources roles have been targeted.
Social engineering is used by the threat actor to convince the target to download a file from a legitimate cloud host. The file has a number of words related to brands, products, and project planning in an attempt to appear legitimate, but it also contains data-stealing software that is designed to hijack Facebook Business accounts.
Ducktail can steal browser cookies and hijack Facebook sessions to steal information from the victim's Facebook account. The threat actor can hijack any Facebook Business account that the victim has enough access to just by adding their email address to the compromised account, which will prompt Facebook to send a link to the same email address.
The threat actor interacts with the email link to gain access to that business. The mechanism represents the standard process used to grant individuals access to a Facebook Business, and thus circumvents security features implemented by Meta to protect against abuse.
The threat actors use their new privileges to replace the account's financial details in order to direct payments to their accounts or to run Facebook Ad campaigns.
It was not possible to determine the success or lack of success of the Ducktail campaign, but it did not see a regional pattern in Ducktail's targeting.
Meta welcomes security research into the threats targeting our industry, according to a statement from the company. We know that these groups will try to get around our detection. We are constantly updating our systems to detect these attempts, and we are aware of these particulars scam. People are encouraged to be cautious about what software they install on their devices because this software is usually downloaded off- platform.
If you can’t leave Facebook, know these Facebook privacy settings