New malware strain bypasses Facebook authentication to hijack business accounts

(Image credit: 123RF)

Hackers are on the hunt for Facebook Business accounts to hijack and use the credit cards linked to those accounts to fund their own ad campaigns. 

Security experts at WithSecure have uncovered criminals targeting individuals and employees that may have access to a Facebook Business account with an information-stealer malware.

The researchers dubbed the malware “DUCKTAIL”, and believe a Vietnamese threat actor is running the show. The modus operandi is relatively simple: they’ll first look for businesses that are buying ads on Facebook, and then try to guess who from that company might have access to its Facebook Business account. 

Managers in the crosshairs

Most of the time, they’ll target either managers, or people working in the marketing department. 

“The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account and ultimately hijack any Facebook Business account that the victim has sufficient access to," WithSecure said in its report.

“We have observed individuals with managerial, digital marketing, digital media, and human resources roles in companies to have been targeted,” it added. After identifying the target, the threat actor will engage in social engineering and phishing, until they manage to deploy infostealers on the victims’ endpoints.

The malware was said to have been coded using .NET Core, and once installed, it scans the target’s browser for Facebook session cookies. If found, the malware “directly interacts with various Facebook endpoints from the victim’s machine using the Facebook session cookie (and other security credentials that it obtains through the initial session cookie) to extract information from the victim’s Facebook account.”

With the session cookies, the threat actors are able to fully take over the victim’s account, and use the credit card link to that account to fund ads that other businesses run.

Apparently, the threat actors have been tweaking DUCKTAIL for years, helping it avoid any new security measures installed by the social network.

Via: The Register

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.