Ducktail malware tries to hijack the accounts of individuals who use Facebook’s Business and Ads platforms, says WithSecure Intelligence.
Social media is one area that cybercriminals love to exploit to attack their victims. And as one of the most popular social networks, Facebook is often in the crosshairs of malware campaigns. A new attack analyzed by cybersecurity provider WithSecure Intelligence targets Facebook business users with the intent of stealing their sensitive data and taking over their accounts.
How does Ducktail attack businesses?
Using Facebook’s Meta Business Suite, organizations can designate specific employees to communicate with customers, discuss their products and services and create ads to run on Facebook. In the malicious campaign dubbed Ducktail, cybercriminals look for companies that use Facebook’s Business/Ads platform and then target people within the company who may have high-level access to the business accounts. Among the employees singled out in this campaign have been ones in management, digital marketing, digital media and human resources, according to WithSecure.
SEE: Mobile device security policy (TechRepublic Premium)
As the next step, the attackers deploy malware to the potential victims, sometimes delivered through LinkedIn and often hosted on cloud-based services such as Dropbox and iCloud. The malware itself is packaged as an archive file that contains documents, images and videos. With such names as “Project Development Plan” and “Project Information,” the files are designed to coax people into opening them and launching the malware.
Once installed, the malware scans for any of the following browsers: Google Chrome, Microsoft Edge, Brave and Firefox. For each browser, Ducktail extracts all stored cookies, including any for a Facebook session. Using that cookie, the malware then connects with different Facebook endpoints to grab information from the user’s Facebook account.
For personal Facebook accounts, the malware aims to grab the user’s name, email address, birthdate and user ID. For business accounts, it seeks out the name, verification status, ad account limit, owner, role and names of clients. And for associated Facebook ad accounts, it looks for the name, ID, account status, payment cycle, currency and amount spent.
Ultimately, the cybercriminals give themselves admin and finance editor roles on the victim’s Facebook business account. With that goal achieved, they can then fully control the account as well access and modify credit card information, transactions, invoices and payment methods.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
“As businesses become more aware and resilient to traditional ransomware attacks, cybercriminals will look for new ways to convert successful cyberattacks into ill-gotten financial gains,” said Chris Clements, VP of solutions architecture at cybersecurity company Cerberus Sentinel. “Historically we’ve seen similar attacks on social media accounts such as the Twitter hack in July 2020…but the directed approach of targeting Facebook business accounts is a new and interesting angle. Contrasting with prior social media hijacking that makes itself obvious very quickly by posting links to scams or malware, this campaign is stealthier, looking to modify ad spends or introduce ad fraud.”
Securing businesses from this new malware
To protect organizations against these types of social media-driven threats, WithSecure offers the following recommendations:
- Turn to Endpoint Detection and Response tools: EDR tools can analyze every stage of an attack, thereby generating information on a single incident to help you detect and mitigate it.
- Protect endpoints: A good endpoint protection and security tool can detect malware across your internal and external networks and devices. Make sure that real-time protection is enabled but also run full manual scans on endpoints.
- Review Facebook business users: Sign into your Facebook Business administrator page to review all the users who have been added. Select Business Manager, go to Settings and then select People. You can then revoke access for any unknown users who were given admin access.
“Nearly every organization could best improve their cybersecurity defense plans if they focused far more on reducing the likelihood of social engineering compromise,” said Roger Grimes, data-driven defense evangelist at cybersecurity firm KnowBe4. “Every organization should look to see what they can improve in their defense-in-depth plan (e.g., policies, technical defenses, and education) to defeat social engineering. It is because almost no organization appropriately focuses the necessary resources and training against social engineering that hackers and malware [are able] to be so long term successful.”