Currently, running is a new phishing campaign with the codename “Ducktail” that targets professionals on LinkedIn with the goal of gaining control of Facebook business accounts that handle the company’s advertising.
The creators of Ducktail use a focused targeting strategy and meticulously pick their victims, looking for individuals with admin rights on the social media sites of their employers
Researchers at WithSecure made this campaign discovery after watching what they believe to be a Vietnamese threat actor since 2021 and gathering evidence of activity dating back to 2018.
This indicates that Ducktail has been active for at least a year, and maybe for over four.
Stealing Accounts on Facebook
The threat actor contacts workers on LinkedIn who might have access to Facebook business accounts, such as those whose roles are labeled as “digital media” and “digital marketing.”
Threat actors converse with potential targets and attempt to persuade them to download a file from a genuine cloud hosting provider like Dropbox or iCloud using social engineering and deceit.
The downloaded ZIP comprises an executable disguised as a PDF document along with JPEG image files pertinent to the conversation between the con artist and the employee.
This software, which is actually.NET Core malware, has all the necessary dependencies and can therefore operate on any machine, including one that doesn’t have the.NET runtime installed.
When the malware is activated, it searches for browser cookies on Chrome, Edge, Brave, and Firefox, gathers system data, and finally aims for Facebook credentials.
In order to extract information from the victim’s Facebook account, the malware directly communicates with various Facebook endpoints from the victim’s computer using the Facebook session cookie (and other security credentials that it obtains through the initial session cookie), according to WithSecure in the report.
Since the queries come from the victim’s browser and use a valid session cookie, they appear to be legitimate calls to Facebook’s APIs.
In order to collect several access tokens, the virus searches different Facebook pages. Later, it uses these tokens to communicate with endpoints freely.
A threat actor may simply continue this access from their workstation thanks to the stolen information, which also includes cookies, IP addresses, account information (name, email, birthday, and user ID), 2FA codes, and geolocation information.
The verification status, advertising limit, users list, client list, ID, currency, payment cycle, the amount spent, and the adtrust DSL are among the business-specific information taken from the hijacked account (dynamic spend limit).
When Facebook accounts are compromised, the malware process terminates, or the virus fails, the data is eventually exfiltrated through Telegram bots.
Using a Fake Facebook Account
The malware not only hijacks victims’ Facebook accounts by adding the threat actor’s email address to the stolen Facebook Business account, but it also steals information from them. They add permissions that give the threat actors complete access to the account when they add the user.
The threat actors then take advantage of their new rights to replace the predetermined financial information, so they can receive payments directly into their accounts or finance Facebook advertising campaigns using funds from the afflicted businesses.
According to WithSecure, the Ducktail operators’ primary motivation is money; they want to make quick money in a situation where it would take some time to identify and halt the fraud.
Notably, in April 2022, a data thief by the name of FFDroider demonstrated a similarly advanced automated account stealing and session token verification technique.