[ad_1]
Ongoing cybercriminal activity is targeting digital marketing and HR professionals in an effort to hack into Facebook business accounts using newly discovered data-stealing malware.
Researchers at WithSecure discovered a campaign they dubbed Ducktail after the collapse of security giant F-Secure Enterprise, which suggests a Vietnamese threat actor has been developing and distributing malware since the latter half of 2021. He added that the motives of the operations appear to be based solely on money.
The threat actor first tracks down targets through LinkedIn and selects high-level Facebook business accounts, particularly employees with high access levels.
“We believe that ducktail operators choose a small number of targets to increase their chances of success and remain undetected,” said Mohammad Kazem Hassan Nejad, researcher and malware analyst at WithSecure Intelligence. “We’ve seen individuals in management, digital marketing, digital media and HR roles within companies being targeted.”
The threat actor uses social engineering to convince the attacker to download a file hosted on a legitimate cloud host such as Dropbox or iCloud. The file contains keywords related to brands, products and project plans to appear legitimate, but contains data-stealing malware that WithSecure says is the first malware it has seen specifically designed to hack Facebook business accounts.
Once on the victim’s system, DocTel malware steals browser cookies and destroys account information, location information, and two-factor authentication codes to steal authenticated Facebook sessions from the victim’s Facebook account. The malware also allows the threat actor to hack enough Facebook business accounts to simply add their email address to the compromised account, prompting Facebook to email the address.
“The recipient — in this case, a threat actor — is then connected to an email link to log into that Facebook business. This method represents the standard process used to provide Facebook business services to individuals, and bypasses security features implemented by Meta to prevent this type of attack,” says Nejad.
The threat actors used their new privileges to replace the account’s financial details to direct payments to their accounts or run Facebook ad campaigns using funds from victim organizations.
WithSecure, which shared its research with Meta, said it “couldn’t tell the success or lack thereof” of the Ducktail campaign and couldn’t say how many users were affected, but said it didn’t see a regional pattern. On Ductel’s target, potential victims are spread across Europe, the Middle East, Africa and North America.
A Meta spokesperson told TechCrunch in a statement: “We welcome security studies regarding threats that target our industry. This is a very hostile environment and we know that these malicious groups will try to evade our detection. We know about these particular scammers, we regularly crack down on them, and we continue to update our systems to detect these attempts. Because this malware is typically downloaded off-platform, we encourage people to be careful about what software they install on their devices.
[ad_2]
Source link
