Cyber crime targeting Meta’s ad ecosystem spreading

Cyber attacks targeting Meta Business and Facebook accounts are gaining popularity among criminals in Vietnam, according to a new report published by WithSecure™ (formerly known as F-Secure business).

According to the report, WithSecure™ Intelligence has observed and is currently tracking numerous groups targeting these platforms. The attacks manipulate an individual with access to the targeted account into infecting themselves with information-stealing malware.

The attackers manipulate victims into downloading the malware by using lures shared through email, social media, or similar means. Common themes to the lures observed by researchers in these attacks include trending topics (such as ChatGPT), popular software (such as Notepad++), employment opportunities (such as job ads or project proposals), and information about advertising platforms (such as Ads Manager tooling).

Following infection, the malware steals various information, including Facebook session cookies and login credentials, giving the attacker access the targeted account. Some malware can also hijack the accounts and run fraudulent ads automatically via the victim’s machine.

Access to these accounts affords attackers with a number of opportunities to make money, such as extortion, defamation, or more notably, running fraudulent advertisements using their victim organization’s money/credit.

“These groups often sell ads to other cyber criminals, either for a fee or a share in the operations. That makes them a sort of enabler for other cyber criminals, which ultimately harms businesses, the platform, and users. Plus, they can sell a lot of the information they’re able to steal, which provides an additional source of revenue and causes more problems for victims,” said WithSecure™ researcher Mohammad Kazem Hassan Nejad, who authored the report.

In addition to providing an overview of the problem, the report analyzes two threats engaged in these attacks.

The first, DUCKTAIL, is a threat WithSecure™ Intelligence has tracked for approximately a year and a half. Researchers found a significant surge in DUCKTAIL activity in the last 6 months, as well as several notable developments in the operation. Some of the more significant evolutions observed include targeting X/Twitter advertising accounts, greater use of evasion/anti-analysis techniques to help avoid detection, and more.

The second threat detailed in the report, DUCKPORT, was discovered by WithSecure™ Intelligence in March 2023. There are considerable overlaps between DUCKTAIL and DUCKPORT, but also significant differences that researchers felt warranted tracking it as a separate threat. Some capabilities unique to DUCKPORT include the ability to take screenshots, abusing online note sharing services as part of its command-and-control chain, and several others detailed in the report.

According to WithSecure’s Neeraj Singh, who participated in the research, the involvement of different but similar groups is indicative of a certain level of engagement occurring among adversaries operating in this space.

“These various groups may be sourcing expertise from a common talent pool, or they could be operating within an information-sharing framework to exchange tools and insights regarding effective strategies. Furthermore, the potential involvement of an intermediary offering specialized services akin to the ransomware-as-a-service model cannot be disregarded. However, it’s evident that the space is growing, pointing toward a level of success achieved with these attacks,” he said.

The full report is available at https://labs.withsecure.com/publications/meet-the-ducks.