New malware is on the loose, and it is specifically created to seize Facebook Business accounts. Most importantly, it is targeting individuals with access to such accounts, such as human resource folks and digital marketers. With this, if you are one of them, you might want to be extra careful online, especially when downloading files that look suspicious. (via TechCrunch)
The existence of the malware was discovered by the cyber security business WithSecure, which already shared the details of its research with Meta. Named the “Ducktail” campaign, the malware is said to be capable of stealing data from targets, who are chosen based on their LinkedIn profile info. To further ensure the operation’s success, the actors are said to select professionals with a high level of access to their company’s Facebook Business accounts.
“We believe that the Ducktail operators carefully select a small number of targets to increase their chances of success and remain unnoticed,” said WithSecure Intelligence researcher and malware analyst Mohammad Kazem Hassan Nejad. “We have observed individuals with managerial, digital marketing, digital media and human resources roles in companies to have been targeted.”
According to WithSecure, they have found pieces of evidence showing a Vietnamese cybercriminal working on and distributing the malware since 2021. It stated that it couldn’t tell the operation’s success or the number of users affected. In addition, the researchers at WithSecure claim that no regional pattern has been observed in the attacks, but victims could be scattered in various locations in Europe, the Middle East, Africa, and North America.
WithSecure explained that after choosing the right targets, the malicious actor would manipulate them to download a cloud file (e.g., Dropbox and iCloud). To make the file convincing, it would even come with business- and brand-related words. However, the file’s true nature lies within the data-stealing malware it is hiding.
Installing the file will release the malware that can still the target’s valuable data like browser cookies, which the actors can use to take over authenticated Facebook sessions. With this, they can get their hands on the victim’s Facebook account information, such as location data and two-factor authentication codes. As for those who have access to Facebook Business accounts, actors simply need to add an email address to the hijacked account.
“The recipient — in this case, the threat actor — then interacts with the emailed link to gain access to that Facebook Business,” Nejad explains. “This mechanism represents the standard process used to grant individuals access to a Facebook Business, and thus circumvents security features implemented by Meta to protect against such abuse.”
Finally, once the Ducktail operators have full control over the Facebook Business accounts, they can replace the accounts’ financial info with their group’s, allowing them to receive clients’ and customers’ payments. This also gives them the chance to use the money linked to the accounts for different purposes.