Companies operating Facebook Business or Ad accounts have been warned of a new info stealing campaign in which threat actors seize access privileges to such accounts for profit.
The operation begins with threat actors scouting LinkedIn for individuals within companies who have high-level access to a Facebook Business account. Targets are then the subject of phishing in order to steal their login credentials.
Introducing IBM Security QRadar XDR
A comprehensive open solution in a crowded and confusing space
Once access to the business account has been acquired, the threat actors alter payment information, invoices, credit card details and transactions for their own profit.
Researchers at WithSecure discovered the ongoing campaign, which they dubbed ‘DUCKTAIL’ in a publication on the campaign released today They believe it has been operational since late 2021, and have found evidence to suggest that the threat actors are based in Vietnam.
Those in roles such as managerial, digital media, marketing or human resources are particularly targeted and typically sent a link to an archive file on a cloud-hosting site under a false pretence. This contains the malware executable, along with several files named after brand keywords.
Activated, the malware is tailor-made to extract Facebook session cookies from the browsers of its victims, along with security credentials obtained through the initial session cookie.
After personal information has been stolen from the victim, the malware steals sensitive information from all business and advert accounts associated with the victim’s personal account. It also attempts to grant administrator or finance editor roles to email addresses used by the threat actors.
Once granted, Facebook considers the threat actors legitimate administrators, and they can access all accounts, tools and settings associated with the business as well as remove the business manager. Stolen data is exfiltrated through Telegram to the DUCKTAIL command and control (C2) channel.
Extracting the user agent of the victim’s browser allows the threat actors to make requests to Facebook endpoints, thereby making requests appear as if they are coming from the victim’s browser.
It is theorised by WithSecure that this circumvents Meta security features that might otherwise identify the activity as malicious. Moreover, the malware’s ability to steal access tokens, two-factor authentication codes and the victim’s IP address, among other information, gives threat actors the ability to do this masked attack from external machines.
"Many spear phishing campaigns target users on LinkedIn,” stated WithSecure researcher Mohammad Kazem Hassan Nejad.
"If you are in a role that has admin access to corporate social media accounts, it is important to exercise caution when interacting with others on social media platforms, especially when dealing with attachments or links sent from individuals you are unfamiliar with.
"Realistically, if the threat actor manages to obtain Admin access to a victim’s Facebook Business account, the sky’s the limit in terms of what they can do. With admin access, the threat actor has full control over the business. They can view and modify settings, people, account, and tools linked to the business as well as outright delete the business."
Facebook Business admins have been urged to regularly review the privileges of users within their account, and revoke access for any unknown users with the role of finance editor or administrator.
This article has been updated to include an expanded quote from Mohammad Kazem Hassan Nejad.
