Skip to content


Researchers at WithSecure, a cybersecurity company formally known as F-Secure, have published research on an ongoing operation targeting organisations and individuals that manage Facebook Business accounts.

The operation, dubbed DUCKTAIL, has been seen scouting for businesses that use the Facebook Business/Ads platform and then targeting employees of businesses that may have access to their organisation’s account. WithSecure detailed how the threat actor named their malware files using keywords relating to products and brands with the aim of making it look like project development plans and business-related files.

The malware used in these attacks has the capability to scan the browsers on the victim’s device for session cookies from Facebook as well as personal information from the user’s machine, such as 2FA codes, geolocations and IP addresses, and user agents, as well as the name and birthday of the user.

If the victim has been accessing their personal account on the device, the malware will also steal email and user ID information, as well as scanning for any businesses associated with the personal account.

Notably, the malware can gain access to Facebook Business accounts associated with the victim’s personal Facebook account. It does so by attempting to add the threat actor’s email account to the business account, and if successful will attempt to give their account admin access and make themselves the finance editor of the business account.

This infographic explains the DUCKTAIL operation:

The full report from WithSecure can be found here.


Keeping all colleagues within your organisation informed on how to spot and report a phishing attack may help prevent your organisation from being hit with this attack. Additionally, make sure to not keep passwords for social media accounts stored within your browser, as these can often be easily accessed by hackers (as seen in this attack). Instead, consider using a password manager to store password and username information, as these are often much better protected and harder to access by malicious users.

Organisations may wish to consider updating browser settings to have stricter cookie policies and for cookies to be cleared when the browser is closed, stopping session cookies from being held for longer periods than would be required.

Regularly reviewing users added to your Facebook Business account can also let you quickly see if there is a new and suspicious user added. Facebook has a page detailing how to do this here. Keep users to a minimum on your Facebook business account, if your business is targeted, there is less chance of an attack being successful.

Related Links: