New financial malware targets professionals with access to a Facebook Business account
New malware is on the loose, and it’s specifically created to grab Facebook Business accounts. More importantly, it targets people with access to such accounts, such as human resources and digital marketers. With that, if you are one of them, you might want to be extra careful online, especially when downloading files that look suspicious. (Going through Tech Crunch)
The existence of the malware was discovered by cybersecurity firm WithSecure, which has already shared details of its research with Meta. Name it “duck tailthe malware is said to be able to steal data from targets, which are chosen based on their LinkedIn profile information. To further ensure the success of the operation, the actors would select professionals with a high level of access to their company’s Facebook Business accounts.
“We believe that Ducktail operators carefully select a small number of targets to increase their chances of success and remain unnoticed,” said Mohammad Kazem Hassan Nejad, WithSecure Intelligence researcher and malware analyst. “We observed that people in management, digital marketing, digital media and human resources positions in companies had been targeted.”
According to WithSecure, they found evidence showing that a Vietnamese cybercriminal had been working and distributing the malware since 2021. He said he could not say the success of the operation or the number of users affected. Additionally, WithSecure researchers claim that no regional patterns have been observed in the attacks, but the victims could be scattered across various locations in Europe, the Middle East, Africa, and North America.
WithSecure explained that after choosing the right targets, the malicious actor manipulates them to download a cloud file (eg Dropbox and iCloud). To make the file compelling, it would even come with company and brand related words. However, the true nature of the file lies in the data-stealing malware it hides.
Installing the file will release the malware which may still retain the target’s valuable data, such as browser cookies, which actors can use to support authenticated Facebook sessions. With this they can get their hands on the victim Facebook account information, such as location data and two-factor authentication codes. As for those with access to Facebook Business accounts, actors simply need to add an email address to the hacked account.
“The recipient — in this case, the threat actor — then interacts with the emailed link to access that Facebook business,” Nejad explains. “This mechanism represents the standard process used to grant individuals access to a Facebook business, and thus bypasses the security features implemented by Meta to protect against such abuse.”
Finally, once Ducktail operators have full control over Facebook Business accounts, they can replace the accounts’ financial information with that of their group, allowing them to receive payments from customers and clients. It also gives them the flexibility to use the money tied to the accounts for different purposes.