Reports have emerged claiming that Facebook Business/Ads users are being targeted in a malware campaign.
Security researchers at WithSecure discovered a series of phishing attacks that were stealing browser cookies to take advantage of authenticated Facebook sessions. The criminal hackers then stole information from users’ accounts and hijacked any Facebook Business account that the victim had access to.
The scam, which has been dubbed Ducktail by the security researchers, targets people in managerial, digital marketing, digital media and human resources roles.
How does the scam work?
The attack begins with the fraudsters identifying potential Facebook Business/Ads users on LinkedIn. They then send them a bogus message that invites them to open an attachment.
The attached files are stored on a legitimate Cloud service, such as Dropbox or iCloud, and are named using keywords related to “brands, products and project planning”.
Both these elements lend the message a sense of legitimacy, encouraging users to follow the link. However, users who do so inadvertently unleash malware onto their system.
The malicious software extracts stored Facebook session cookies for each browser that it finds.
It then “directly interacts with various Facebook endpoints from the victim’s machine using the Facebook session cookie (and other security credentials that it obtains through the initial session cookie) to extract information from the victim’s Facebook account.”
The criminals can then give themselves Admin and Finance editor access, enabling them to edit settings, people, accounts and tools. They can also edit credit card information and financial details such as transactions, invoices, account spend and payment methods.
Moreover, they can add businesses to the victim’s credit cards and monthly invoices and use the victim’s payment methods to run ads.
Commenting on WithSecure’s analysis, a spokesperson for Facebook’s parent company, Meta, said: “We welcome security research into the threats targeting our industry. This is a highly adversarial space and we know these malicious groups will keep trying to evade our detection.
“We are aware of these particular scammers, regularly enforce against them, and continue to update our systems to detect these attempts. Because this malware is typically downloaded off-platform, we encourage people to be cautious about what software they install on their devices.”
Preventing social media scams
Social media is, more than ever, proving to be a goldmine for cyber criminals. As one of the most popular social networks, Facebook is inevitably a frequent target.
It doesn’t help that the site collects vast amounts of sensitive data and is used for both personal and business purposes. As such, there are countless scams that cyber criminals can pull off.
Cyber security researchers are also increasingly seeing criminal hackers leverage information from multiple social media sites to conduct sophisticated scams.
The most effective defence in fighting phishing campaigns is staff awareness. Your employees are your last line of defence, with scams almost always being designed to trick people into giving them access to sensitive data.
In this case, the scam relies on users opening the malicious document, which releases the malware. In other attacks, the user is prompted to provide their login credentials, allowing the fraudsters to compromise their account.
To protect employees from making these mistakes, organisations must explain to employees the threat of phishing and how to identify scams.
You can find everything your employees need to know in our Phishing Staff Awareness E-Learning Course.
This 45-minute course uses real-world examples like the one we’ve discussed here to explain how phishing works, the tactics that cyber criminals use and how to avoid falling victim.
Those who take the course will be in a position to spot suspicious emails and know how to respond quickly and efficiently, minimising the risk to them and your organisation.