A newly discovered malware hijacks Facebook Business accounts

An ongoing cybercriminal operation is targeting digital marketing and human resources professionals in an effort to hijack Facebook Business accounts using a newly discovered data-stealing malware.

Researchers at WithSecure, the enterprise spin-off of security giant F-Secure, discovered the ongoing campaign they dubbed Ducktail and found evidence to suggest that a Vietnamese threat actor has been developing and distributing the malware since the latter half of 2021. The firm added that the operations’ motives appear to be purely financially driven.

The threat actor first scouts targets via LinkedIn where it selects employees likely to have high-level access to Facebook Business accounts, particularly those with the highest level of access.

“We believe that the Ducktail operators carefully select a small number of targets to increase their chances of success and remain unnoticed,” said Mohammad Kazem Hassan Nejad, a researcher and malware analyst at WithSecure Intelligence. “We have observed individuals with managerial, digital marketing, digital media and human resources roles in companies to have been targeted.”

The threat actor then uses social engineering to convince the target to download a file hosted on a legitimate cloud host, like Dropbox or iCloud. While the file features keywords related to brands, products, and project planning in an attempt to appear legitimate, it contains data-stealing malware that WithSecure says is the first malware that they have seen specifically designed to hijack Facebook Business accounts.

Once installed on a victim’s system, the Ducktail malware steals browser cookies and hijacks authenticated Facebook sessions to steal information from the victim’s Facebook account, including account information, location data, and two-factor authentication codes. The malware also allows the threat actor to hijack any Facebook Business account that the victim has sufficient access to simply by adding their email address to the compromised account, which prompts Facebook to to send a link, via email, to the same email address.

“The recipient — in this case, the threat actor — then interacts with the emailed link to gain access to that Facebook Business. This mechanism represents the standard process used to grant individuals access to a Facebook Business, and thus circumvents security features implemented by Meta to protect against such abuse,” Nejad says.

The threat actors then leverage their new privileges to replace the account’s set financial details in order to direct payments to their accounts or to run Facebook Ad campaigns using money from the victimized firms.

WithSecure, which shared its research with Meta, said it was “unable to determine the success, or lack thereof” of the Ducktail campaign and couldn’t say how many users have potentially been affected, but noted that it has not seen a regional pattern in Ducktail’s targeting, with potential victims spread across Europe, the Middle East, Africa and North America.

A spokesperson for Meta told TechCrunch in a statement:

We welcome security research into the threats targeting our industry. This is a highly adversarial space and we know these malicious groups will keep trying to evade our detection. We are aware of these particular scammers, regularly enforce against them, and continue to update our systems to detect these attempts. Because this malware is typically downloaded off-platform, we encourage people to be cautious about what software they install on their devices.