Hackers are on the hunt for Facebook Business accounts to hijack and use the credit cards linked to those accounts to fund their own ad campaigns.
Security experts at WithSecure have uncovered criminals targeting individuals and employees that may have access to a Facebook Business account with an information-stealer malware.
The researchers dubbed the malware “DUCKTAIL”, and believe a Vietnamese threat actor is running the show. The modus operandi is relatively simple: they’ll first look for businesses that are buying ads on Facebook, and then try to guess who from that company might have access to its Facebook Business account.
Managers in the crosshairs
Most of the time, they’ll target either managers, or people working in the marketing department.
“The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to," WithSecure said in its report (opens in new tab).
“We have observed individuals with managerial, digital marketing, digital media, and human resources roles in companies to have been targeted,” it added. After identifying the target, the threat actor will engage in social engineering and phishing, until they manage to deploy infostealers on the victims’ endpoints.
> Beware - another dangerous Android malware has had millions of downloads from the Google Play Store (opens in new tab)
> More brutal malware-laden Android apps are lurking on the Play Store (opens in new tab)
> These are the best malware protection services around (opens in new tab)
The malware was said to have been coded using .NET Core, and once installed, it scans the target’s browser for Facebook session cookies. If found, the malware “directly interacts with various Facebook endpoints from the victim’s machine using the Facebook session cookie (and other security credentials that it obtains through the initial session cookie) to extract information from the victim’s Facebook account.”
With the session cookies, the threat actors are able to fully take over the victim’s account, and use the credit card link to that account to fund ads that other businesses run.
Apparently, the threat actors have been tweaking DUCKTAIL for years, helping it avoid any new security measures installed by the social network.
- Keep your devices secure with the best antivirus (opens in new tab) tools around
Via: The Register (opens in new tab)