IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Facebook business accounts hijacked by infostealer malware campaign

Threat actors are using LinkedIn phishing to seize business, ad accounts for financial gain

The Facebook logo shows on a phone, with the F magnified by a magnifying glass, sits on a laptop

Companies operating Facebook Business or Ad accounts have been warned of a new info stealing campaign in which threat actors seize access privileges to such accounts for profit. 

The operation begins with threat actors scouting LinkedIn for individuals within companies who have high-level access to a Facebook Business account. Targets are then the subject of phishing in order to steal their login credentials. 

Related Resource

Introducing IBM Security QRadar XDR

A comprehensive open solution in a crowded and confusing space

Whitepaper cover with title over a grey rectangle and a dark header banner with turquoise lines and ESG logoFree Download

Once access to the business account has been acquired, the threat actors alter payment information, invoices, credit card details and transactions for their own profit.

Researchers at WithSecure discovered the ongoing campaign, which they dubbed ‘DUCKTAIL’ in a publication on the campaign released today They believe it has been operational since late 2021, and have found evidence to suggest that the threat actors are based in Vietnam.

Those in roles such as managerial, digital media, marketing or human resources are particularly targeted and typically sent a link to an archive file on a cloud-hosting site under a false pretence. This contains the malware executable, along with several files named after brand keywords.

Activated, the malware is tailor-made to extract Facebook session cookies from the browsers of its victims, along with security credentials obtained through the initial session cookie. 

After personal information has been stolen from the victim, the malware steals sensitive information from all business and advert accounts associated with the victim’s personal account. It also attempts to grant administrator or finance editor roles to email addresses used by the threat actors.

Once granted, Facebook considers the threat actors legitimate administrators, and they can access all accounts, tools and settings associated with the business as well as remove the business manager. Stolen data is exfiltrated through Telegram to the DUCKTAIL command and control (C2) channel.

Extracting the user agent of the victim’s browser allows the threat actors to make requests to Facebook endpoints, thereby making requests appear as if they are coming from the victim’s browser.

It is theorised by WithSecure that this circumvents Meta security features that might otherwise identify the activity as malicious. Moreover, the malware’s ability to steal access tokens, two-factor authentication codes and the victim’s IP address, among other information, gives threat actors the ability to do this masked attack from external machines.

"Many spear phishing campaigns target users on LinkedIn,” stated WithSecure researcher Mohammad Kazem Hassan Nejad.

"If you are in a role that has admin access to corporate social media accounts, it is important to exercise caution when interacting with others on social media platforms, especially when dealing with attachments or links sent from individuals you are unfamiliar with.

"Realistically, if the threat actor manages to obtain Admin access to a victim’s Facebook Business account, the sky’s the limit in terms of what they can do. With admin access, the threat actor has full control over the business. They can view and modify settings, people, account, and tools linked to the business as well as outright delete the business."

Facebook Business admins have been urged to regularly review the privileges of users within their account, and revoke access for any unknown users with the role of finance editor or administrator.

This article has been updated to include an expanded quote from Mohammad Kazem Hassan Nejad.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Meta begins encrypting Facebook URLs, nullifying tracking countermeasures
privacy

Meta begins encrypting Facebook URLs, nullifying tracking countermeasures

19 Jul 2022
EU inches closer to blocking Meta from sending personal data to US
Policy & legislation

EU inches closer to blocking Meta from sending personal data to US

8 Jul 2022
Meta hit with €17 million fine over multiple GDPR breaches
data protection

Meta hit with €17 million fine over multiple GDPR breaches

16 Mar 2022
Meta says Apple's iOS privacy changes will cost it $10 billion in 2022
privacy

Meta says Apple's iOS privacy changes will cost it $10 billion in 2022

3 Feb 2022

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
The benefits of a hardware update for SMBs
Sponsored

The benefits of a hardware update for SMBs

2 Aug 2022