A spear-phishing campaign dubbed "Ducktail" has been discovered targeting marketing and HR professionals through LinkedIn, with the aim of taking over Facebook Business accounts and abusing the Ads function to run malvertising schemes.

The campaign delivers a tailored malware, which identifies individuals likely to have admin privileges, scans the victim' machine, searches for popular browsers, and extracts all the stored cookies, including any Facebook session cookies, from the browsers it finds.

The malware component can take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account, which it then uses to hijack the victim's Facebook Business and Facebook Ads accounts.

The campaign appears to be financially motivated, according to security specialist WithSecure's new report on the Ducktail campaign.

"One of the unique features of the malware is its ability to hijack Facebook Business accounts associated with the victim's Facebook account," WithSecure's report explains. "It attempts to grant the threat actor's emails access to the business with the highest-privilege roles."

Mohammad Kazem Hassan Nejad, researcher for WithSecure Intelligence, explains that the attackers carefully select their targets, making sure they're likely to be on Facebook Ads or Business first. if the threat actor blindly distributes the malware through other forms of attack, such as malicious spam campaigns, this could ring more bells that would alarm companies, cybersecurity vendors, and Meta about Ducktail's activity much sooner, he notes.

"By scouting for companies that operate on Facebook's Ads and Business platform beforehand and targeting individuals that most likely have access to a Facebook Business account, we believe the threat actor tries to increase their chance of success whilst making the least amount of noise," he says.

Connections to SilentFade

Nejad adds that Ducktail is the first Facebook-centric malware operation he's aware of that attempts to directly hijack Facebook Business accounts. However, Nejad notes that an earlier Facebook malware operation, dubbed SilentFade, used similar tactics, such as utilizing infostealer logic that leverages Meta's GraphAPI to gather private information about the victims' Facebook account. SilentFade was focused on committing ad fraud.

"However, SilentFade and Ducktail also differ in a few notable ways," Nejad says. "Whereas SilentFade infects victim systems via modified pirated software and potentially unwanted programs, we've observed the Ducktail operation utilizing spear-phishing over a combination of LinkedIn and file/cloud hosting services, in a targeted manner."

And while the SilentFade operation was attributed to a group in China, Nejad says WithSecure has attributed this operation, with high confidence, to an outfit in Vietnam.

Nejad points out the threat actor has continued to update the malware to improve its ability to bypass existing or new Facebook security features alongside other implemented features.

"For instance, one of the latest mechanisms added to the malware allows the threat actor to send a list of email addresses, through their command-and-communication channel, that they would like to use to hijack a specific business," he explains.

Facebook Business Offers Hackers a Prime Opportunity

Facebook remains one of the most popular social-network platforms, with close to 3 billion monthly active users, according to its latest quarterly results. That large user base and the wide outreach it provides makes it a perfect platform for advertisers and businesses to operate on — and so, Facebook is one of phishers' favorite brands, according to a recent report.

Just last month, a social-engineering campaign bent on stealing Facebook account credentials and victim phone numbers targeted business pages via a savvy campaign incorporating Facebook's Messenger chatbot feature.

As Ducktail hijacks Facebook business accounts by gaining administrator-level access, it essentially gives the threat actor the ability to gain unlimited access to use the hijacked business account as they wish. This could include carrying out malicious advertising (malvertising), classic fraud efforts (running scams), or to spread disinformation. The threat actor could also potentially use its newfound access to blackmail a company by locking them out of its own business account.

"However, we believe the Ducktail operation uses hijacked business accounts purely to make money by pushing out ads, similar to the SilentFade campaign," Nejad says.

Review Users, Revoke Access

Nejad added that to protect themselves from these types of attacks, organizations must exercise caution, practice vigilance, and follow common cybersecurity practices.

"If you believe you've been a victim, we also recommend reviewing users who have been added to your Facebook Business account through Meta's Business Manager, and revoking access for unknown users that were granted Admin access with finance editor role, as well as terminating all browser authentication sessions and resetting your existing login credentials," Nejad says.