New “Ducktail” Phishing Campaign Targets Facebook Business Accounts via LinkedIn

Employees managing Facebook Business accounts are now being targeted via LinkedIn in a spear phishing campaign known as “Ducktail”.

A spear-phishing campaign known as “Ducktail” is making the rounds on LinkedIn by targeting individuals that manage Facebook business accounts. An infostealer is being used in the process to access information.

Specific Individuals Are Being Targeted by the Malicious Actor

In the Ducktail spear phish, attackers are accounts targeting individuals that manage Facebook Business, and therefore have been granted certain permissions to a company’s advertising and marketing tools on Facebook. Those who are shown on LinkedIn to have roles in digital marketing, social media marketing, digital advertising, or similar, are prime targets for this attacker.

Cybersecurity firm WithSecure reported in a recent publication that the Ducktail malware is the first of its kind, and is thought to be controlled by a Vietnamese operator.

It is not known exactly how long this campaign has been going on, but it has been confirmed active for at least one year. However, Ducktail may have been created and first used as many as four years ago at the time of writing.

LinkedIn Is Used as an Infiltration Vehicle in the Phishing Process

While LinkedIn accounts are not being directly targeted in this campaign, the platform is being used as a vehicle to access targets. The malicious actor looks for users with roles that suggest they have high-level access to their employer’s advertising tools, including their Facebook Business account.

Then, the attacker will use social engineering to persuade the victim to download an archive file that contains a malware executable as well as some additional images and files, all of which are hosted by a variety of cloud storage providers, like Dropbox and iCloud. The Ducktail malware is written in .NET Core, an open-source software framework. This means that the infostealer malware can run on almost any device, regardless of the operating system it uses.


The Ducktail malware can then scan for browser cookies to find the required login information needed to access a Facebook Business account by hijacking the session cookie. By hacking a Facebook Business account, sensitive information about the company, its clients, and advertising dynamics can be stolen.

Financial Gain Is the Likely Goal in the Ducktail Campaign

WithSecure has stated in its post about Ducktail that the malicious party’s actions are likely “financially driven”. When the attacker gains full control of the targeted Facebook Business account, they can edit credit card and transactional information, and use the company’s payment methods to run their own advertising campaigns. This can be financially damaging to the company but can take a while to notice, which gives the malicious actor more time to exploit the victim.


Ducktail May Accumulate Many Victims In the Near Future

Because Ducktail is a one-of-a-kind type of malware and targets an area that many individuals would not think to check, it could be used to successfully exploit a long list of victims over time. Though it is not known whether the attacker has successfully infiltrated any Facebook business accounts, the threat still remains.

Leave a Comment

Your email address will not be published.