Quite some money can be made from selling compromised business and ad accounts on social media platforms, and the Ducktail threat actor has specialized in just that.
“We observed that an account deemed ‘low-grade’ sells for around 350,000 Vietnamese dong (~$15 USD), while accounts considered valuable sell for around 8,000,000 Vietnamese dong (~$340 USD),” Zscaler researchers noted.
Targets and techniques
Researchers have previously reported on campaigns mounted by the group, but Zscaler’s researchers have now outlined more of their tactics, techniques, and procedures, and have laid bare the underground economy the threat actor is a part of.
Ducktail is the name assigned by security researchers to a group operating from Vietnam, whose goal is hijack social media business accounts on platforms like TikTok, Facebook, LinkedIn, and Google.
Their selected targets are individuals working in the digital marketing and advertising sector, i.e., persons who have access to business and ad accounts.
Their preferred approach is to social-engineer targets to download and run information-stealing malware.
They usually contact the victims via compromised LinkedIn accounts, luring them in with fake job listings. Once the “recruiter” has messaged the victim, they also send an email a fake job application package containing an malicious executable capable of stealing saved session cookies from browsers.
“We believe, with a high-confidence level, that threat actors are compromising the LinkedIn accounts of users who fell victim to DuckTail’s initial attack where victims were enticed with fraudulent job posts and fake recruiters,” the researchers noted.
Some Ducktail payloads also come in the form of an Excel add-in or browser extension.
Ducktail abusing social media and cloud platforms in different stages of their operation. (Source: Zscaler)
They host these malicious archives on cloud hosting services (iCloud, Google Drive, Dropbox, Transfer.sh, and OneDrive) and sometimes they also use Trello – a project management platform – as a cloud hosting service.
Another popular lure is bogus versions of AI tools such as ChatGPT.
They have also been known to set up web pages pretending to offer marketing guides and marketing software, but actually serving info-stealers.
Account takeover
To take over a victim’s business/ad account, the attackers add their own email address to it and, occasionally, change the password and email address of the account.
“We observed an instance where, after taking over a victim’s Facebook account, the threat actor enabled the Encrypted Notifications setting. This way every Facebook email communication with the victim is encrypted – effectively preventing the victim from recovering their account,” the researchers explained.
The attackers use private residential proxy services when logging in to compromised social media business accounts, so they can “show” an appropriately geolocated IP address and avoid being detected by the platforms’ defenses.
Business and ad accounts for sale
Threat actors target ad accounts so they can access ad budgets.
The attackers use platforms such as Telegram, Facebook and Zalo (a Vietnamese messaging app) to communicate and sell access to the hijacked accounts. Stolen accounts are also sold on a Vietnamese-based underground market.
Vendors and buyers look for specific properties of the sold accounts, including the type of account (a personal ad account or a business manager account), the daily ad budget and payment threshold, whether the account is verified, the longevity (older accounts are more valuable), etc.
“Facebook combats threat actors like Ducktail, who hack and abuse ad accounts on their platform, by automatically flagging suspicious accounts. Because of this, threat actors try to prolong the life of a compromised ad account. For this reason, hacked Facebook accounts are not interchangeable commodities. Depending on an account’s properties, it may range from very valuable to almost useless to buyers,” the researchers concluded.