Cyber-attacks targeting Meta Business and Facebook accounts are gaining
popularity among criminals in Vietnam, according to a new report published by WithSecure.
The WithSecure Intelligence team has observed an increasing number of cyber criminal groups targeting these platforms – and they mainly
originate and operate from Vietnam.
Typically, these adversaries leverage a variety of lure themes
(involving names like OpenAI’s ChatGPT, Google’s Bard, popular software
such as Notepad++ or even job and advertisement opportunities) shared
through email, social media, or similar means to manipulate their
victims into infecting themselves with information-stealing malware.
Following infection, the malware steals various information, including
Facebook session cookies and login credentials, giving the attacker
access to the targeted account. Some malware implants can also hijack
the accounts and run fraudulent ads automatically via the victim’s
machine.
Enablers for Other Cybercriminals
Access to these accounts affords attackers with several opportunities
to make money, such as extortion, defamation, or, more notably, running
fraudulent advertisements using their victim organization’s
money/credit.
Generally, these groups sell ads to other cybercriminals, either for a
fee or a share in the operations, Mohammad Kazem Hassan Nejad, one of
the report's authors, described.
“That makes them a sort of enabler for other cybercriminals, which
ultimately harms businesses, the platform, and users. Plus, they can
sell a lot of the information they're able to steal, which provides an
additional source of revenue and causes more problems for victims.”
Ducktail and Duckport
The report also dives into two threat clusters engaged in these attacks, Ducktail and Duckport.
Ducktail, tracked by WithSecure for approximately a year and a half – with an activity spike within the last six months – has recently started targeting X (formerly Twitter) advertising accounts alongside Meta Business Ads.
The threat cluster has also enhanced its evasion and anti-analysis techniques to help avoid detection, the report added.
Duckport was discovered by WithSecure Intelligence in March 2023.
Although it closely resembles Ducktail, it also includes unique
features, such as the ability to take screenshots or to abuse online
note-sharing services as part of its command-and-control chain.
According to WithSecure’s Neeraj Singh, who participated in the
research, the involvement of different but similar groups indicates a
certain level of engagement among adversaries operating in this space.
"These various groups may be sourcing expertise from a common talent
pool, or they could be operating within an information-sharing framework
to exchange tools and insights regarding effective strategies.
Furthermore, the potential involvement of an intermediary offering
specialized services akin to the ransomware-as-a-service model cannot be
disregarded. However, it’s evident that the space is growing, pointing
toward a level of success achieved with these attacks," he said.
Meta is the second biggest advertising platform in terms of ad revenue
globally, accounting for 23.8% of the worldwide advertising market in
May 2023, according to Statista.
“This success naturally attracts threat actors hoping to abuse the platform,” the report commented.
