A phishing campaign dubbed ‘Ducktail’ was recently identified by security researchers at WithSecure. The campaign targets social media professionals on LinkedIn with administrative social media privileges in order to take over Facebook business accounts that manage advertising for victim companies.
The threat group reaches out to employees on LinkedIn who could have Facebook business account access, for example, people listed as working in “digital media” and “digital marketing” as their roles. As part of the conversations with a potential target, the threat group uses social engineering to induce them to download a file hosted on a legitimate cloud hosting service such as Dropbox or iCloud. The downloaded archive contains JPEG image files relevant to the discussion between the scammer and the employee but also includes an executable made to appear like a PDF document.
This executable is a malicious .NET Core file that contains all required dependencies, allowing it to run on any computer. When executed, the malware scans for browser cookies on Chrome, Edge, Brave, and Firefox, collects system information, and steals Facebook credentials by crawling through Facebook pages to capture multiple access tokens. The activity will appear to be authentic since it originates from the victim’s account and device.
The stolen information includes cookies, IP address, account information (name, email, birthday, user ID), two factor authentication (2FA) codes, and geolocation data. Business-specific details stolen from the compromised accounts include the verification status, advertising limit, users list, client list, ID, currency, payment cycle, the amount spent, and the adtrust DSL (dynamic spend limit). The data is eventually exfiltrated through Telegram bots.
In addition to acting as an info stealer, Ducktail also hijacks victims’ Facebook accounts by adding a new email address to the compromised Facebook Business account, alongside permissions allowing full access. The threat actors then utilize their new privileges to replace financial details in order to direct advertising payments to their own accounts or fund malicious Facebook Ad campaigns from the budgets of victimized firms’ media accounts.