Cyber-attacks targeting Meta Business and Facebook accounts are gaining popularity among criminals in Vietnam, according to a new report published by WithSecure.
The WithSecure Intelligence team has observed an increasing number of cybercriminal groups targeting these platforms – and they mainly originate and operate from Vietnam.
Typically, these adversaries leverage a variety of lure themes (involving names like OpenAI’s ChatGPT, Google’s Bard, popular software such as Notepad++ or even job and advertisement opportunities) shared through email, social media, or similar means to manipulate their victims into infecting themselves with information-stealing malware.
Following infection, the malware steals various information, including Facebook session cookies and login credentials, giving the attacker access to the targeted account. Some malware implants can also hijack the accounts and run fraudulent ads automatically via the victim’s machine.
Enablers for Other Cybercriminals
Access to these accounts affords attackers with several opportunities to make money, such as extortion, defamation, or, more notably, running fraudulent advertisements using their victim organization’s money/credit.
Generally, these groups sell ads to other cybercriminals, either for a fee or a share in the operations, Mohammad Kazem Hassan Nejad, one of the report's authors, described.
“That makes them a sort of enabler for other cybercriminals, which ultimately harms businesses, the platform, and users. Plus, they can sell a lot of the information they're able to steal, which provides an additional source of revenue and causes more problems for victims.”
Ducktail and Duckport
The report also dives into two threat clusters engaged in these attacks, Ducktail and Duckport.
Ducktail, tracked by WithSecure for approximately a year and a half – with an activity spike within the last six months – has recently started targeting X (formerly Twitter) advertising accounts alongside Meta Business Ads.
The threat cluster has also enhanced its evasion and anti-analysis techniques to help avoid detection, the report added.
Duckport was discovered by WithSecure Intelligence in March 2023. Although it closely resembles Ducktail, it also includes unique features, such as the ability to take screenshots or to abuse online note-sharing services as part of its command-and-control chain.
According to WithSecure’s Neeraj Singh, who participated in the research, the involvement of different but similar groups indicates a certain level of engagement among adversaries operating in this space.
"These various groups may be sourcing expertise from a common talent pool, or they could be operating within an information-sharing framework to exchange tools and insights regarding effective strategies. Furthermore, the potential involvement of an intermediary offering specialized services akin to the ransomware-as-a-service model cannot be disregarded. However, it’s evident that the space is growing, pointing toward a level of success achieved with these attacks," he said.
Meta is the second biggest advertising platform in terms of ad revenue globally, accounting for 23.8% of the worldwide advertising market in May 2023, according to Statista.
“This success naturally attracts threat actors hoping to abuse the platform,” the report commented.