Facebook users are vulnerable to a new malware threat known as Ducktail, which was first reported in July. This malware previously targeted business accounts on Facebook, but the threat now appears to be targeting regular users as well.
The new version is more dangerous because it can collect all of your Facebook data if the malware infects your computer. This was especially concerning for business accounts, which contain sensitive payment information and user data that can be used to send phishing emails and attack them.
What is this New Malware?
According to Bleeping Computer, the Ducktail malware is distributed via file-sharing networks, which serve as a hub for users to access cracked software, games, and other content that is not readily available on the internet.
The widespread nature of this malware has allowed it to spread beyond Facebook Business accounts, and the report claims that if the malware has entered your computer, it will be difficult to detect.
Accessing the accounts of regular Facebook users is sufficient to obtain information such as name, phone number, and e-mail address. So, the best way to prevent this malware from infiltrating your PC is to avoid opening emails from unknown senders, avoid downloading files from public portals, and, of course, never fall for deals that seem too good to be true.
Because the Ducktail malware has been around for a few months, its imprints are likely to have spread gradually, but even so, Facebook users should be cautious about how they operate their accounts, and we recommend that they use two-factor authentication so that the account details are secure with your permission.
How does this Malware work?
DUCKTAIL’s campaigns were highly personalized at the time of writing. The cybercriminals behind this malware look for targets of interest on Facebook’s Business/Ads platform and target high-ranking individuals.
The goal is to gain access to victims’ accounts that have significant or complete control of a Facebook business page. DUCKTAIL’s ideal victims, for example, would have Admin access or a Finance editor role. The former provides complete control over the business account, including deletion and management (e.g., settings, privileges, roles, tools, etc.). While the latter would allow cybercriminals to view and abuse financial data (e.g., transactions, invoices, spending, payment methods, credit cards, and so on).
DUCKTAIL begins its operation after successful infiltration by checking for installed browsers, specifically Google Chrome, Mozilla Firefox, Microsoft Edge, or Brave. From there, the malware attempts to identify cookie paths and extract those associated with Facebook sessions.
These cookies may contain data required for the malware to gain access to the victim’s Facebook account, but the malicious program collects any and all relevant information it can find, including security credentials.
DUCKTAIL also determines whether 2FA (two-factor authentication) is required; if so, the program attempts to obtain the recovery codes. The malware can extract access tokens, user agents, IP addresses (geolocations), 2FA codes, and other information in addition to session cookies.
DUCKTAIL typically steals business accounts through personal Facebook accounts. This program is interested in information such as the victim’s user ID, name, birthday, and email address. The malware adds the cyber criminals’ emails to their Facebook Business accounts, gaining control over them.
DUCKTAIL collects the following data when an associated business/ad account is breached: name(s), verification status(es), connected account number, ad spending, and payment cycles, ad account permissions, set currency, pending users, owners, member roles, linked emails, client data, and so on.