Cybersecurity experts at WithSecure and Zscaler ThreatLabz have detected an emerging threat posed by a Vietnamese cybercriminal syndicate. This group is utilizing Facebook advertising campaigns as a means to propagate malware.
Unmasking the Growing Threat: Cybercriminals Targeting Social Media
Fraudsters have a history of employing counterfeit ads to distribute scams and malicious software. The rise of social media networks, extensively used by businesses for advertising, presents attackers with a lucrative new avenue for their schemes, particularly in hijacking business accounts.
Facebook has become a focal point for cyber threats in the past year, affecting both regular users and business account holders. Vietnamese groups like Ducktail and Duckport are attributed to these attacks.
Unauthorized access to user accounts is pursued through various methods, with social engineering playing an active role. Victims are targeted across different platforms, including Facebook, LinkedIn, WhatsApp, as well as freelancing websites like Upwork.
These cybercriminal groups share common tactics such as utilizing link shortening services, managing infected devices through Telegram, and employing cloud services like Trello, Discord, and Dropbox for hosting malicious files.
Ducktail, one of the most active and hazardous entities in this illicit trade, employs diverse techniques for malware distribution. They deceive victims with fake job postings on platforms like Upwork and Freelancer, leading to the download of an infected file that installs Ducktail malware.
The group specializes in stealing stored browser cookies, enabling them to hijack business Facebook accounts, which are then sold on the black market, fetching prices ranging from $15 to $340.
Hackers continuously adapt their methods and tools, with recent additions to Ducktail allowing it to terminate processes that obstruct browser databases. This feature is commonly found in ransomware attacks, where files used by these processes cannot be encrypted.
In addition to Ducktail, a newcomer called Duckport has entered the scene since March 2023. Operating similarly to Ducktail, this group focuses on data theft and the hijacking of Facebook accounts.
WithSecure experts caution against underestimating the active collaboration between different threat actors, indicating the formation of a robust cybercrime ecosystem in Vietnam. Their research serves as a stark reminder of the necessity for heightened vigilance when engaging with advertising and messages on social networks, particularly for business account holders.