Search This Blog

Showing posts with label Spear Phishing Mails. Show all posts

Ducktail Spear-Phishing Campaign Targets Facebook Business Accounts Via LinkedIn


An ongoing spear-phishing campaign dubbed “Ducktail” is targeting admin profiles of enterprise networks via LinkedIn, with the motive of taking over Facebook Business accounts and exploiting the Ads function to run malvertising campaigns. 

According to researchers at WithSecure, a popular global IT-security firm, the hackers are of Vietnamese origin and have been active since 2018. 

Modus operandi 

The Ducktail operators have a limited targeting scope and carefully choose their victims, seeking those with administrative access to their employer's social media accounts. The hacker contacts employees on LinkedIn who may have access to Facebook business accounts, such as those described as working in "digital media" and "digital marketing." 

Subsequently, the hacker lures the potential victim to download a file hosted on legitimate cloud hosting services like Dropbox or iCloud. The downloaded file contains JPEG image files and a PDF document relevant to the topic discussed between the hacker and the potential victim during the convincing stage.

Security researchers reported that the entire file is a .NET Core malware that can infect any operating system by running on computers without having to install the .NET runtime. Once it has compromised the system the malware collects browser cookies from Chrome, Edge, Firefox, and additional sensitive information to steal Facebook credentials. 

“The malware directly interacts with various Facebook endpoints from the victim’s machine using the Facebook session cookie (and other security credentials that it obtains through the initial session cookie) to extract information from the victim’s Facebook account,” researchers explained. 

The malware is then deployed to other Facebook pages owned by the victim and collects multiple tokens, IP addresses, account information, geolocation data, and other valuables to disguise itself as a legitimate admin. 

After getting access to the victim’s business profile the malware steals advertising limits, credit card details, client lists, currency, payment cycle, and more sensitive details, and finally, the stolen data is exfiltrated through Telegram bots when the malware exits or crashes. 

The phishing campaign operates on an infinite loop in the background which allows continuous exfiltration of new cookies and any update to the victim’s Facebook account. The motive is to interact with the victim’s account, and ultimately create an email account managed by the hacker with the highest privilege role; that is, admin access and finance editor roles.

IBM: Flags More Cyber Attacks on COVID-19 Vaccine Infrastructure


On Wednesday, IBM reported that its cyber-security unit has discovered more digital attacks targeting the global COVID-19 vaccine supply chain since the problem was first reported late last year. 

IBM Security X-Force has now revealed that the number of organizations affected has increased since the previous evaluation. A total of 44 organizations from 14 countries were singled out for attack. The targeted companies are key organizations involved in transportation, warehousing, storage, and distribution in Europe, North America, South America, Africa, and Asia. 

The threat actor began sending spear-phishing emails in early September 2020, before any COVID-19 vaccine variant was approved, in order to pre-position themselves in the evolving infrastructure. The emails requested quotes for the Cold Chain Equipment Optimization Platform (CCEOP) program and mentioned Haier Biomedical products used for storage and transportation of vaccines. 

IBM which has identified 50 files associated with the attacks, states the threat actor has excellent knowledge of the cold chain. Spear-phishing emails impersonating the executive from Chinese biomedical firm Haier Biomedical were extensively used in the attacks. 

IBM stated that “While our previous reporting featured direct targeting of supranational organizations, the energy and IT sectors across six nations, we believe this expansion to be consistent with the established attack pattern, and the campaign remains a deliberate and calculated threat.” 

The attacks used HTML files that included references to solar panel manufacturers and petrochemical companies. Around eight distinct organizations in the aviation, aerospace, shipping, and transportation services industries, as well as biomedical research, medical manufacturing, pharmaceuticals, and hygiene services, were hit by the attackers. Six companies in web-hosting, software creation, IT operations and outsourcing, and online platform provisioning were also affected. 

Government agencies (involved in the import/export of special products, transportation, and public health), as well as establishments in the refrigeration and metal manufacturing industries, were targeted, according to IBM. 

According to IBM security analysts, the attackers were attempting to gain access to the COVID-19 vaccine cold chain for espionage purposes, including information on national Advance Market Commitment (AMC) agreements, distribution timetables, collection or duplication of the electronic documents, and warehousing technical requirements. 

“While clear attribution remains presently unavailable, the rise of ‘vaccine nationalism’ and increased global competition surrounding access to vaccines suggests the higher likelihood of a nation-state operation,” IBM added.