Security researchers from WithSecure™ have warned of a malware campaign targeting Facebook Business/Ads users.
According to its report, the phishing campaign – dubbed ‘DUCKTAIL’ – “is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to.”
The scam targets people in managerial, digital marketing, digital media, and human resources roles.
Anyone with a Facebook Business/Ads account who fits into those criteria is advised to review who has access to their account under the settings Business Manager > Settings > People, and to revoke access from unknown actors.
How does DUCKTAIL work?
The scam begins by identifying potential Facebook Business/Ads users on LinkedIn and sending them a bogus message inviting them to open an attachment.
The files are stored on a legitimate Cloud service, such as Dropbox or iCloud, and are named using keywords related to “brands, products and project planning.”
Both these elements lend the message a sense of legitimacy, encouraging users to follow the link. However, users who do so inadvertently unleash malware onto their system.
The malicious software extracts stored Facebook session cookies for each browser that it finds. It then “directly interacts with various Facebook endpoints from the victim’s machine using the Facebook session cookie (and other security credentials that it obtains through the initial session cookie) to extract information from the victim’s Facebook account.”
The criminals can then give themselves Admin and Finance editor access, enabling them to edit settings, people, accounts, and tools. They can also edit credit card information and financial details such as transactions, invoices, account spend, and payment methods.
Moreover, they can add businesses to the victim’s credit cards and monthly invoices, and use the victim’s payment methods to run ads.
Commenting on WithSecure’s analysis, a spokesperson for Facebook’s parent company, Meta, said: “We welcome security research into the threats targeting our industry. This is a highly adversarial space and we know these malicious groups will keep trying to evade our detection.
“We are aware of these particular scammers, regularly enforce against them, and continue to update our systems to detect these attempts. Because this malware is typically downloaded off-platform, we encourage people to be cautious about what software they install on their devices.”
Preventing social media scams
Social media is, more than ever, proving to be a goldmine for cyber criminals. An FTC report found that more than 95,000 people reported that they fell victim a social media scam in 2021, with losses totalling $770 million.
As one of the most popular social networks, Facebook is inevitably a frequent target. It doesn’t help that the site collects vast amounts of sensitive data and is used for both personal and business purposes. As such, there are countless scams that cyber criminals can pull off.
Cyber security researchers are also increasingly seeing criminal hackers leverage information from multiple social media sites to conduct sophisticated scams. In the example WithSecure analyzed, crooks used LinkedIn as well as Facebook to launch their attack – and the former is no stranger to being used for scams.
In a recent post, Tech Genix explained four types of LinkedIn scams and provided advice on how to mitigate the risk. Meanwhile, WithSecure provided its own advice to people looking to avoid social media scams.
For example, it recommends using endpoint detection and response tools to generate information about intrusion attempts, as well as endpoint security tools to identify malware.
However, the most effective defence in fighting phishing campaigns is staff awareness. Your employees are your last line of defence, with scams almost always being designed to trick people into giving them access to sensitive data.
In this case, the scam relies on users opening the malicious document, which releases the malware. In other attacks, the user is prompted to provide their login credentials, allowing the crooks to compromise their account.
To protect employees from making these mistakes, organizations must explain to employees the threat of phishing and how to identify scams.
You can find everything your employees need to know in our Phishing Staff Awareness E-Learning Course.
This 45-minute course uses real-world examples like the one we’ve discussed here to explain how phishing works, the tactics that cyber criminals use and how to avoid falling victim.
Those who take the course will be in a position to spot suspicious emails and know how to respond quickly and efficiently, minimizing the risk to them and your organization.