“Historically we’ve seen similar attacks on social media accounts such as the Twitter hack in July 2020…but the directed approach of targeting Facebook business accounts is a new and interesting angle. Contrasting with prior social media hijacking that makes itself obvious very quickly by posting links to scams or malware, this campaign is stealthier, looking to modify ad spends or introduce ad fraud.” Securing businesses from this new malware “As businesses become more aware and resilient to traditional ransomware attacks, cybercriminals will look for new ways to convert successful cyberattacks into ill-gotten financial gains,” said Chris Clements, VP of solutions architecture at cybersecurity company Cerberus Sentinel.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic) With that goal achieved, they can then fully control the account as well access and modify credit card information, transactions, invoices and payment methods.
Ultimately, the cybercriminals give themselves admin and finance editor roles on the victim’s Facebook business account.
And for associated Facebook ad accounts, it looks for the name, ID, account status, payment cycle, currency and amount spent.
For business accounts, it seeks out the name, verification status, ad account limit, owner, role and names of clients. Using that cookie, the malware then connects with different Facebook endpoints to grab information from the user’s Facebook account.įor personal Facebook accounts, the malware aims to grab the user’s name, email address, birthdate and user ID. For each browser, Ducktail extracts all stored cookies, including any for a Facebook session. Once installed, the malware scans for any of the following browsers: Google Chrome, Microsoft Edge, Brave and Firefox. With such names as “Project Development Plan” and “Project Information,” the files are designed to coax people into opening them and launching the malware.
The malware itself is packaged as an archive file that contains documents, images and videos. SEE: Mobile device security policy (TechRepublic Premium)Īs the next step, the attackers deploy malware to the potential victims, sometimes delivered through LinkedIn and often hosted on cloud-based services such as Dropbox and iCloud. Among the employees singled out in this campaign have been ones in management, digital marketing, digital media and human resources, according to WithSecure. In the malicious campaign dubbed Ducktail, cybercriminals look for companies that use Facebook’s Business/Ads platform and then target people within the company who may have high-level access to the business accounts. Using Facebook’s Meta Business Suite, organizations can designate specific employees to communicate with customers, discuss their products and services and create ads to run on Facebook. Security incident response: Critical steps for cyberattack recovery (TechRepublic Premium) The 10 best antivirus products you should consider for your business Pentagon finds concerning vulnerabilities on blockchain How does Ducktail attack businesses? Must-read security coverage A new attack analyzed by cybersecurity provider WithSecure Intelligence targets Facebook business users with the intent of stealing their sensitive data and taking over their accounts. And as one of the most popular social networks, Facebook is often in the crosshairs of malware campaigns. Social media is one area that cybercriminals love to exploit to attack their victims. Infostealer malware targets Facebook business accounts to capture sensitive dataĭucktail malware tries to hijack the accounts of individuals who use Facebook’s Business and Ads platforms, says WithSecure Intelligence.