Malicious Browser Extensions: A New Threat to Facebook Business Accounts


Hackers leverage malicious browser extensions to infiltrate Facebook Business accounts in a new cybersecurity threat. The notorious Ducktail family, known for developing information-stealing malware, has been identified as a critical player in this malicious activity. The article delves into how the hack occurs and what measures can be taken to protect against it.

Facebook Business accounts are under a new threat. The culprit? Malicious browser extensions developed by the infamous Ducktail family.

“The only secure computer is unplugged, locked in a safe, and buried 20 feet under the ground in a secret location… and I’m not even too sure about that one.” – Dennis Hughes, FBI.

This quote rings more accurate than ever in today’s digital landscape.

The Modus Operandi of the Ducktail Family

Ducktail is a specially crafted information stealer that can lead to severe outcomes such as privacy violations, financial losses, and identity theft. Its constant updates allow it to circumvent most social media platforms’ security measures, focusing primarily on advertising and business accounts.

The ultimate aim of the hack is to target the Facebook accounts of the organization’s employees who either hold fairly senior positions or work in HR, digital marketing, or social media marketing—as reported by Kaspersky. The criminals send malicious archives to their potential victims, using theme-based photos and video clips on a shared subject as bait in the archives.

Disguising Malware as Fashion

The majority of the archive’s email is fashioned-themed. Prominent participants in the fashion business had emails sent out in their names containing archives with pictures of clothing. The document appears to be a PDF file but carries malicious files that could harm your computer. The file names are carefully chosen to seem relevant and persuade the recipient to click on them. It is crucial to exercise caution when dealing with unknown files to evade potential security risks.

The Bait and Switch Technique

While the names in the fashion-themed campaign linked to “guidelines and requirements for candidates,” other forms of bait, such as pricing lists or commercial offers, might also be used. After the victim opens the exe file, it reveals the contents of a PDF file that the malicious code has embedded. Simultaneously, the malware scans all the desktop shortcuts, the Start menu, and the Quick Launch toolbar.

It searches for shortcuts to browsers running on the Chromium platform, like Microsoft Edge, Vivaldi, Brave, and Google Chrome. Once it has located one, the virus modifies the executable file’s command line to include an instruction to install a browser extension.

Impersonating Google Docs Offline

Following this, the malicious script terminates the browser process, coaxing the user to restart it using one of the modified shortcuts and fake extension download in their systems, where it uses the same symbol and description to impersonate Google Docs Offline. The extension also steals the browser’s active session cookies, which allow unauthenticated login to Facebook accounts, from aceboothose into the victim’s device.

Countermeasures to Protect Against Malicious Browser Extensions

When downloading files from suspicious sites, avoiding doing so on official work computers is advisable. Always check the extensions of all files downloaded from the internet or email before opening them. A file with an EXE extension that appears to be a legitimate document should never be clicked on, as it is malicious software.

Share the Article by the Short Url: