Facebook business accounts hijacked by infostealer malware campaign

Threat actors are using LinkedIn phishing to seize business, ad accounts for financial gain
Image: Getty via Dennis

26 July 2022

Companies operating Facebook Business or Ad accounts have been warned of a new info stealing campaign in which threat actors seize access privileges to such accounts for profit.

The operation begins with threat actors scouting LinkedIn for individuals within companies who have high-level access to a Facebook Business account. Targets are then the subject of phishing in order to steal their login credentials.

Once access to the business account has been acquired, the threat actors alter payment information, invoices, credit card details and transactions for their own profit.

Researchers at WithSecure discovered the ongoing campaign – dubbed ‘DUCKTAIL’ in a publication on the campaign – believe it has been operational since late 2021, and have found evidence to suggest that the threat actors are based in Vietnam.

Those in roles such as managerial, digital media, marketing or human resources are particularly targeted and typically sent a link to an archive file on a cloud-hosting site under a false pretence. This contains the malware executable, along with several files named after brand keywords.

Activated, the malware is tailor-made to extract Facebook session cookies from the browsers of its victims, along with security credentials obtained through the initial session cookie.

After personal information has been stolen from the victim, the malware steals sensitive information from all business and advert accounts associated with the victim’s personal account. It also attempts to grant administrator or finance editor roles to email addresses used by the threat actors.

Once granted, Facebook considers the threat actors legitimate administrators, and they can access all accounts, tools and settings associated with the business as well as remove the business manager. Stolen data is exfiltrated through Telegram to the DUCKTAIL command and control (C2) channel.

Extracting the user agent of the victim’s browser allows the threat actors to make requests to Facebook endpoints, thereby making requests appear as if they are coming from the victim’s browser.

It is theorised by WithSecure that this circumvents Meta security features that might otherwise identify the activity as malicious. Moreover, the malware’s ability to steal access tokens, two-factor authentication codes and the victim’s IP address, among other information, gives threat actors the ability to do this masked attack from external machines.

“Many spear phishing campaigns target users on LinkedIn,” stated WithSecure researcher Mohammad Kazem Hassan Nejad.

If you are in a role that has admin access to corporate social media accounts, it is important to exercise caution when interacting with others on social media platforms, especially when dealing with attachments or links sent from individuals you are unfamiliar with.”

Facebook Business admins have been urged to regularly review the privileges of users within their account, and revoke access for any unknown users with the role of finance editor or administrator.

Future Publishing

Read More:

Back to Top ↑