IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Facebook business accounts hijacked by infostealer malware campaign

Threat actors are using LinkedIn phishing to seize business, ad accounts for financial gain

The Facebook logo shows on a phone, with the F magnified by a magnifying glass, sits on a laptop

Companies operating Facebook Business or Ad accounts have been warned of a new info stealing campaign in which threat actors seize access privileges to such accounts for profit. 

The operation begins with threat actors scouting LinkedIn for individuals within companies who have high-level access to a Facebook Business account. Targets are then the subject of phishing in order to steal their login credentials. 

Related Resource

Introducing IBM Security QRadar XDR

A comprehensive open solution in a crowded and confusing space

Whitepaper cover with title over a grey rectangle and a dark header banner with turquoise lines and ESG logoFree Download

Once access to the business account has been acquired, the threat actors alter payment information, invoices, credit card details and transactions for their own profit.

Researchers at WithSecure discovered the ongoing campaign, which they dubbed ‘DUCKTAIL’ in a publication on the campaign released today They believe it has been operational since late 2021, and have found evidence to suggest that the threat actors are based in Vietnam.

Those in roles such as managerial, digital media, marketing or human resources are particularly targeted and typically sent a link to an archive file on a cloud-hosting site under a false pretence. This contains the malware executable, along with several files named after brand keywords.

Activated, the malware is tailor-made to extract Facebook session cookies from the browsers of its victims, along with security credentials obtained through the initial session cookie. 

After personal information has been stolen from the victim, the malware steals sensitive information from all business and advert accounts associated with the victim’s personal account. It also attempts to grant administrator or finance editor roles to email addresses used by the threat actors.

Once granted, Facebook considers the threat actors legitimate administrators, and they can access all accounts, tools and settings associated with the business as well as remove the business manager. Stolen data is exfiltrated through Telegram to the DUCKTAIL command and control (C2) channel.

Extracting the user agent of the victim’s browser allows the threat actors to make requests to Facebook endpoints, thereby making requests appear as if they are coming from the victim’s browser.

It is theorised by WithSecure that this circumvents Meta security features that might otherwise identify the activity as malicious. Moreover, the malware’s ability to steal access tokens, two-factor authentication codes and the victim’s IP address, among other information, gives threat actors the ability to do this masked attack from external machines.

"Many spear phishing campaigns target users on LinkedIn,” stated WithSecure researcher Mohammad Kazem Hassan Nejad.

"If you are in a role that has admin access to corporate social media accounts, it is important to exercise caution when interacting with others on social media platforms, especially when dealing with attachments or links sent from individuals you are unfamiliar with.

"Realistically, if the threat actor manages to obtain Admin access to a victim’s Facebook Business account, the sky’s the limit in terms of what they can do. With admin access, the threat actor has full control over the business. They can view and modify settings, people, account, and tools linked to the business as well as outright delete the business."

Facebook Business admins have been urged to regularly review the privileges of users within their account, and revoke access for any unknown users with the role of finance editor or administrator.

This article has been updated to include an expanded quote from Mohammad Kazem Hassan Nejad.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Meta begins encrypting Facebook URLs, nullifying tracking countermeasures
privacy

Meta begins encrypting Facebook URLs, nullifying tracking countermeasures

19 Jul 2022
EU inches closer to blocking Meta from sending personal data to US
Policy & legislation

EU inches closer to blocking Meta from sending personal data to US

8 Jul 2022
Meta hit with €17 million fine over multiple GDPR breaches
data protection

Meta hit with €17 million fine over multiple GDPR breaches

16 Mar 2022
Meta says Apple's iOS privacy changes will cost it $10 billion in 2022
privacy

Meta says Apple's iOS privacy changes will cost it $10 billion in 2022

3 Feb 2022

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Electrical explosion reported at Google's Iowa data centre
data centres

Electrical explosion reported at Google's Iowa data centre

9 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022