EXECUTIVE SUMMARY:

As businesses learn to dodge ransomware attacks, cyber criminals are shifting their attention towards other attack types. This stealthy attack can fool the savviest of social media users. And while it impacts Facebook Business accounts, it actually begins with phishing on LinkedIn.

What’s happening

To access Facebook Business accounts, hackers are skimming through targeted organizations’ employees’ LinkedIn profiles. Why? They want to identify privileged users, a.k.a. persons who may have Facebook Business account login credentials.

For example, hackers interested in breaking into the Paper Street Soap Company’s Facebook Business account might start out by identifying the company’s marketing managers or HR representatives on LinkedIn.

Then, the criminals spam the possible account administrators with credible-looking phishing emails. Surprise, surprise – a file included in the phishing email contains data-stealing malware. The malware retains unique Facebook Business account takeover capabilities.

The malware

Once on a target’s system, the malware steals browser cookies and disrupts authenticated Facebook sessions in order to parse information. Via this malware, hackers can obtain location data, credit card numbers and two-factor authentication codes.

By adding their email address to the compromised account, the hackers also gain takeover capabilities for any Facebook Business account that a victim has access to. This is because in adding an email address to a compromised account, Facebook will send a new access link via email – to the same hacker’s email address.

“The recipient -in this case, the threat actor- then interacts with the emailed link to gain access to that Facebook Business [account]. This mechanism represents the standard process used to grant individuals access to Facebook Business…” says security researcher Mohammad Kazem Hassan Nejad.

This campaign has been dubbed “Ducktail”, likely due to the campaign’s set-up. Ducktail enables hackers to duck past Facebook (Meta)’s existing security features.

Further details

After infiltrating a Facebook Business account, hackers can give themselves admin and financial editor roles. Subsequently, they can replace the account’s set financial details in order to direct payments to hacker-owned accounts or they can potentially run Facebook Ad campaigns using financial resources from targeted firms.

Hackers’ intent

The Ducktail malware attacks started earlier this year. Cyber security researchers believe that the malware has been under development since 2021. Over time, hackers have continuously upgraded the malware with new features to increase its capabilities.

Based on the design of the malware and nature of the campaign, hackers’ motives appear to be financial. Past targets have been spread across Europe, the Middle East, Africa and North America.

A word of caution

Do you have Facebook Business account admin privileges? As this cyber criminal operation continues, organizations and individuals using Facebook’s ads and business tools should remain vigilant and on high-alert. Individuals with managerial, digital marketing, digital media and human resource roles represent ideal campaign targets.

In conclusion

Social media represents a popular way to connect with colleagues and through which to reach customers and clients. Thus far, malware specifically targeting Facebook has proved relatively uncommon. However, Facebook’s wide reach makes it an alluring attack vector for cyber criminals.

For more on this story, please visit CSO Online. To receive more timely cyber security best practices, news, reports and analyses, please sign up for the cybertalk.org newsletter.