While it was initially discovered as an unknown malware earlier this year, WithSecure began tracking and analyzing the operation to find that DUCKTAIL has been used in the wild since the second half of 2021.
DUCKTAIL’s operations make use of an infostealer malware component that was specifically designed to hijack Facebook Business accounts. According to WithSecure, this is the first instance of such functionality and it separates DUCKTAIL from other malware strains designed to target regular Facebook users.
The malware itself was designed to steal browser cookies and use authenticated Facebook sessions to steal information from victims’ Facebook accounts in order to hijack any Facebook Business account that targeted individuals have access to.
Finding potential targets on LinkedIn
As is the case with other cyberattacks primarily targeting business users, DUCKTAIL’s operators use the professional social networking site LinkedIn to scout for potential victims.
LinkedIn users likely to have high-level access to a Facebook Business account and especially those with admin privileges are selected. From here, the attackers use social engineering to convince potential victims to download a file hosted on a cloud storage service like Dropbox, according to a report from TechCrunch (opens in new tab).
Besides keywords related to brands, products and project planning, these files also contain malware and when downloaded, DUCKTAIL is able to use saved browser cookies to take over a victim’s (or their organization’s) Facebook Business account.
Malware analyst and researcher at WithSecure, Mohammad Kazem Hassan Nejad provided further insight in a press release on how DUCKTAIL’s operators have been selecting targets, saying:
"We believe that the DUCKTAIL operators carefully select a small number of targets to increase their chances of success and remain unnoticed. We have observed individuals with managerial, digital marketing, digital media, and human resources roles in companies to have been targeted."
How to protect yourself and your business
If having your personal Facebook account hacked seems troubling, imagine what it’s like to lose access to your Facebook Business account. Many small business owners depend on Meta’s social network to reach their customers which is why the DUCKTAIL malware is so concerning.
Just like with other cyberattacks, WithSecure’s Nejad recommends exercising caution “when dealing with attachments or links sent from individuals you are unfamiliar with” on LinkedIn since DUCKTAIL’s operators use the platform to find new targets.
In a blog post (opens in new tab), the cybersecurity firm Avast recommends using one of the best password managers to improve the strength of your passwords and enabling two-factor authentication (2FA) to help keep your Facebook Business account more secure. At the same time, you should also grant administrator permissions to more than one user as having another account with admin authority will prevent you from being locked out.
Finally, you should review which third-party apps are connected to your Facebook Business account and ensure that you are only allowing access to well-known applications. Likewise, it's also worth taking a look at the apps installed on your smartphone as many malicious apps are designed to steal the data necessary to take over your Facebook account.