This new malware hijacks Facebook business accounts

Digital marketing experts are the focus of an ongoing cybercrime operation that aims to compromise Facebook Business accounts deploying newly found malware that steals data.

The ongoing effort, which they named Ducktail, was uncovered by researchers at WithSecure, the business division of security firm F-Secure. They also found some evidence that a Vietnamese malicious actor has been creating and disseminating the malware since the second half of 2021. The business noted that it appears that the operations are only conducted for financial gain.

The threat actor initially conducts a target scouting operation on LinkedIn, picking out professionals who are most likely to have a higher access to Facebook Business accounts, especially those with the most access, according to TechCrunch.

The hacker will then attempt to persuade the victim to download a file from a trusted cloud server, such as Dropbox or iCloud, using media manipulation. While the file attempts to look authentic by containing terms relevant to companies, products, and project planning, it usually contains data-manipulating malware that WithSecure claims is the first virus they have seen that is especially made to sabotage Facebook Business accounts.

When Ducktail malware is installed on a victim's computer, it hijacks authorized Facebook transactions and collects browser cookies to access the victim's Facebook profile and collect data such as account information, location information, and two-factor authentication codes.

By linking the target's email address to the infiltrated account, which causes Facebook to send a link through email to the same email address, the malware enables the malicious user to steal any Facebook Business account that the target has easy accessibility.

In order to access the Facebook Business, the recipient—in this scenario, the threat actor—interacts with the email link. According to Mohammad Kazem Hassan Nejad, a researcher and malware expert from WithSecure Intelligence, this approach represents the usual process used to provide persons "access to a Facebook Business, and thus circumvents security" protections developed by Meta to protect users against such exploitation.

In steering transactions to their accounts or to launch Facebook Ad campaigns with funds from the compromised businesses, the threat actors use their unauthorized access to replace the account's predetermined financial information.

When asked how many users may have been affected by the Ducktail campaign, WithSecure, after it shared its findings with Meta, stated that it was still unable to "determine the success, or lack thereof," of the campaign. It also mentioned that it had not noticed any regional patterns in Ducktail's profiling, as potential victims are from across Europe, the Middle East, Africa, and North America.

A representative for Meta said in a statement to TechCrunch that the company welcomes security study into the issues affecting the sector. The spokesperson said the company is aware that these malevolent entities will keep attempting to avoid its detection in the highly aggressive environment. "We are aware of these particular scammers, regularly enforce against them, and continue to update our systems to detect these attempts." They advise users to be careful when choosing the apps they install on their phones and computers since this type of malware is frequently obtained via off-platform sources.