Security News > 2022 > July > LinkedIn phishing target employees managing Facebook Ad Accounts
A new phishing campaign codenamed 'Ducktail' is underway, targeting professionals on LinkedIn to take over Facebook business accounts that manage advertising for the company.
The threat actor reaches out to employees on LinkedIn who could have Facebook business account access, for example, people listed as working in "Digital media" and "Digital marketing" as their roles.
"The malware directly interacts with various Facebook endpoints from the victim's machine using the Facebook session cookie to extract information from the victim's Facebook account," explains WithSecure in the report.
Business-specific details stolen from the compromised account include the verification status, advertising limit, users list, client list, ID, currency, payment cycle, the amount spent, and the adtrust DSL. The data is eventually exfiltrated through Telegram bots and takes place between set periods, or when Facebook accounts are stolen, the malware process exits, or when the malware crashes.
Not only does the malware steal information from victims' Facebook accounts, but they also hijack them by adding the threat actor's email address to the compromised Facebook Business account.
The threat actors then leverage their new privileges to replace the set financial details so that they could direct payments to their accounts or run Facebook Ad campaigns with money from the victimized firms.