Cybercriminals trying to hijack Facebook Business accounts using a newly discovered data-stealing malware and targeting digital marketing and human resources professionals.
Researchers at WithSecure, the enterprise spin-off of security giant F-Secure, discovered the ongoing campaign they dubbed Ducktail, and found evidence to suggest that a Vietnamese threat actor has been developing and distributing the malware since the latter half of 2021. The firm added that the operations’ motives appear to be purely financially driven.
The threat actor first scouts targets via LinkedIn where it selects employees likely to have high-level access to Facebook Business accounts, particularly those with the highest level of access.
Once installed on a victim’s system, the Ducktail malware steals browser cookies and hijacks authenticated Facebook sessions to steal information from the victim’s Facebook account, including account information, location data, and two-factor authentication codes. The malware also allows the threat actor to hijack any Facebook Business account that the victim has sufficient access to simply by adding their email address to the compromised account, which prompts Facebook to to send a link, via email, to the same email address.
WithSecure, which shared its research with Meta, said it was “unable to determine the success, or lack thereof” of the Ducktail campaign and couldn’t say how many users have potentially been affected, but noted that it has not seen a regional pattern in Ducktail’s targeting, with potential victims spread across Europe, the Middle East, Africa and North America.