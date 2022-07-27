Any site can be ideal for cybercriminals to carry out their malicious actions to gain access to accounts without the owner’s permission. The latest case has occurred on the LinkedIn platform with a phishing campaign with the codenamed Ducktail which is aimed at professionals for have access to Facebook business accounts that they may be managing.

The discovery of this new campaign comes from the hand of WithSecure, and they point out that it is a targeted attack. This means that the attackers try to choose the victims very well in order to find those profiles that have the role of administrator in the Facebook accounts of the companies where they are working at that moment.

Although this campaign has been recently described, the truth is that it has been running for at least a year and could go back four years in a really dormant state. In addition, it is pointed out that the actor of these threats would be placed on a Vietnamese who would have collected data remotely since 2018.

How the actors of this phishing campaign act

His modus operandi is really simple. The attacker communicates directly with previously selected employees on LinkedIn thanks to the profiles that fit Facebook administrators. This is something relatively simple, since normally among the experience that is specified in the profiles it is detailed if you have a journey as a manager of pages in social networks.





During these conversations, the attackers use both social engineering and deception so that the users download a file that looks completely legitimate. This is because they are hosted on well-known cloud services such as iCloud Drive or Dropbox.

But what is really being downloaded and executed will be a malware that will track the cookies of any browser looking for the Facebook login information. And two-factor authentication will not be required, since requests made from these same trusted browsers will have free access to the account to end up hijacking it. In this case, the stolen information includes name, email, user ID, 2FA codes, geolocation data, customer list or also users.





all this information is sent through different bots on Telegram to be able to manage it on external servers, but the malware does not stay here. Before disappearing completely, it adds the threat actor’s email to the Facebook page in order to have full access to it and replace financial data to redirect profits to their accounts.

All this makes that on any type of platform maximum security measures must be taken to avoid any kind of shock. In no case should you download files that you have not requested or from strangers, even if they are hosted on trusted servers.

Via | BleepingComputer