It has become visible that Facebook Business accounts have been compromised due to the malicious browser extensions designed by the infamous Ducktail family. Ducktail is a carefully planned data stealer that can have serious results, like privacy breaches, identity theft, and financial losses.

Its consistent updates allow the virus to pass through the safety measures of the majority of Social Media platforms, carefully focusing on advertisements & business accounts. The hack's principal objective is to focus on the company employees' FB accounts who either work in senior positions.

Cybercriminals cast out malicious records to their likely clients; theme-based video clips & photographs are available on a common subject as a torment in the archives. The majority of the emails in the archive are based on fashions. For example, the big players in the fashion industry had emails sent by their names that carried archives with clothes pictures.

Although the document looks to be in PDF format, it actually contains dangerous files that could damage your machine. To further entice the recipient to click on them, the file names have been carefully selected to appear pertinent. Handling unfamiliar files requires vigilance in order to prevent possible security issues.

The names in the campaign with a fashion theme were connected to "guidelines & requirements for candidates," but other baits might also be used. It displays the PDF contents that the malicious code has embedded in it after opening the “.exe” file first, in the hopes that the victim won't notice anything odd.

Notably, the malware simultaneously examines the Quick Launch toolbar, the Start menu, and any desktop shortcuts. Also, it searches for shortcuts to Chromium-based browsers, such as Microsoft Edge, Google Chrome, Vivaldi, and Brave. When it finds one, the virus adds a command to install a browser extension to the executable file's command line.

Then, the malicious script ends the browser session. Also, it asks the user to restart it by downloading a phony extension and utilizing a shortcut on their computers. This false extension seems to be Google Docs Offline and has the same icon and description.

The extension also uses the Facebook accounts that are logged into the victim's device to steal the browser's active session cookies. This further enables unauthenticated logins to Facebook accounts.

Counteractions

On official business computers, it is best to avoid downloading files from dubious websites. Before opening any files you obtain from the internet or receive via email, make sure to carefully check their extensions. It is never advisable to click on a file with an EXE extension that seems to be a genuine document since it is harmful malware.