Like aquatic parasites, scammers have latched on to Facebook-based ad professionals whenever they stick their feet into the murky waters of anonymous networking. And according to two separate reports, LinkedIn has become a major thoroughfare for bad actors trying to attack ad professionals with invasive malware, likely for the purpose of creating fake Facebook ad campaigns.
On Tuesday, cyber security firm WithSecure reported they uncovered a spear phishing operation they dubbed “DUCKTAIL.” For years, the scheme has used infostealer malware that’s apparently very good at hijacking Facebook Business/Ads accounts with “high level access” by digging into users’ browser cookies and hard drive.
These scammers, who researchers said were being led by a Vietnam-based ringleader, look for targets on LinkedIn and hones in those who have the best chance of using Facebook’s advertising platform. Victims are often identified as people working in “digital media” or “digital marketing.” Then hackers masquerading as product suppliers try to coerce them to download malicious files containing image sets that are actually relevant to the conversation and are even tailored to a victims location. The files are hosted on cloud sites like Dropbox or MediaFire, but then the user accidentally downloads malware that worms its way into users’ browsers and computer data looking for Facebook-related info.
That malware then scans for browser cookies, and more specifically Facebook login info. The program will also try to scrounge up IP addresses, account info, geolocation and more on some of the most popular internet browsers. Once inside, the hackers add permissions to the Facebook Business account to make it appear that they are a legitimate operator. Apparently, all this user info is being shunted to restricted Telegram channels where hackers communicate with each other.
This isn’t the first time fraudsters have appeared to have a particular love affair with Facebook-based advertisers, and it’s more-than-likely these hijacked accounts are being used in fraudulent advertising campaigns. Facebook ad accounts are valuable because they have a money attached to them, allowing hackers to spend big money in a short time. One fraudulent ad campaign back in 2019 spent $10,000 a day on scam ads. Another user in 2021 detailed how hackers started running $15,000 per day on ads for “Santa Clause on a stripper pole” decorations, all while changing the names of her Facebook pages and getting users to click on malicious links.
This recent report may offer some of the deepest insight security professionals have ever had with these ad account phishing enterprises. WithSecure researchers said the scammers select only a few victims so as not to bring too much attention. The company also said they’ve been tracking this scam since late 2021 when they encountered an unknown piece of malware, but the scheme could go all the way back to 2018. The company said they supplied its research with Facebook’s parent company Meta.
In an email statement, a Meta spokesperson said they welcome this research, they are “aware of these particular scammers, regularly enforce against them, and continue to update our systems to detect these attempts. Because this malware is typically downloaded off-platform, we encourage people to be cautious about what software they install on their devices and where the software came from.”
The company has pointed users toward its help center while telling reporters they encouraged ad accounts users to use their best practices. Of course, the platform already struggles to handle false or misleading ads purchased legitimately on the platform, so it does have its hands full. A recent report detailed ads for unproven or even harmful medical treatments often appear on Facebook.
This past Saturday, another cyber security company Check Point released a separate report showing that LinkedIn has been and remains the top site that scammers use for phishing attempts. Users are often bombarded with emails that try to sound professional or seem to come directly from LinkedIn itself, all while trying to get users to give up user information or click on malicious links.
LinkedIn remains the top brand that bad actors use for phishing attempts at 45%, compared to the second highest being Microsoft at 13%.
In an email statement, LinkedIn said “Our internal teams work to take action against those who attempt to harm LinkedIn members through phishing. We encourage members to report suspicious messages and help them learn more about what they can do to protect themselves, including turning on two-step verification.” They also pointed users to the company’s help center.
The company does offer some rudimentary protections users can take against phishing, but in the end, most revolve around not accepting invitations to chat or clicking on links from users you don’t know.
In the meantime, check out Gizmodo’s guide for making your browser as secure as possible to hopefully avoid a malicious actor hooking you on the line during their next phishing trip.