Cyber crime targeting Meta’s ad ecosystem spreading

Press Release  |  August 31, 2023

Threats targeting Meta Business accounts growing in popularity among cyber criminals based in Vietnam, according to new WithSecure research.


Helsinki, Finland – August 31, 2023: Cyber attacks targeting Meta Business and Facebook accounts are gaining popularity among criminals in Vietnam, according to a new report published by WithSecure™ (formerly known as F-Secure business).

According to the report, WithSecure™ Intelligence has observed and is currently tracking numerous groups targeting these platforms. The attacks manipulate an individual with access to the targeted account into infecting themselves with information-stealing malware.

The attackers manipulate victims into downloading the malware by using lures shared through email, social media, or similar means. Common themes to the lures observed by researchers in these attacks include trending topics (such as ChatGPT), popular software (such as Notepad++), employment opportunities (such as job ads or project proposals), and information about advertising platforms (such as Ads Manager tooling).

Following infection, the malware steals various information, including Facebook session cookies and login credentials, giving the attacker access the targeted account. Some malware can also hijack the accounts and run fraudulent ads automatically via the victim’s machine.

Access to these accounts affords attackers with a number of opportunities to make money, such as extortion, defamation, or more notably, running fraudulent advertisements using their victim organization’s money/credit.

“These groups often sell ads to other cyber criminals, either for a fee or a share in the operations. That makes them a sort of enabler for other cyber criminals, which ultimately harms businesses, the platform, and users. Plus, they can sell a lot of the information they're able to steal, which provides an additional source of revenue and causes more problems for victims,” said WithSecure™ researcher Mohammad Kazem Hassan Nejad, who authored the report.

In addition to providing an overview of the problem, the report analyzes two threats engaged in these attacks.

The first, DUCKTAIL, is a threat WithSecure™ Intelligence has tracked for approximately a year and a half. Researchers found a significant surge in DUCKTAIL activity in the last 6 months, as well as several notable developments in the operation. Some of the more significant evolutions observed include targeting X/Twitter advertising accounts, greater use of evasion/anti-analysis techniques to help avoid detection, and more.

The second threat detailed in the report, DUCKPORT, was discovered by WithSecure™ Intelligence in March 2023. There are considerable overlaps between DUCKTAIL and DUCKPORT, but also significant differences that researchers felt warranted tracking it as a separate threat. Some capabilities unique to DUCKPORT include the ability to take screenshots, abusing online note sharing services as part of its command-and-control chain, and several others detailed in the report.

According to WithSecure’s Neeraj Singh, who participated in the research, the involvement of different but similar groups is indicative of a certain level of engagement occurring among adversaries operating in this space.

"These various groups may be sourcing expertise from a common talent pool, or they could be operating within an information-sharing framework to exchange tools and insights regarding effective strategies. Furthermore, the potential involvement of an intermediary offering specialized services akin to the ransomware-as-a-service model cannot be disregarded. However, it’s evident that the space is growing, pointing toward a level of success achieved with these attacks," he said.

The full report is available at

WithSecure™ media relations
Adam Pilkey

About WithSecure™

WithSecure™, formerly F-Secure Business, is cyber security’s reliable partner. IT service providers, MSSPs and businesses – along with the largest financial institutions, manufacturers, and thousands of the world’s most advanced communications and technology providers – trust us for outcome-based cyber security that protects and enables their operations.

Our AI-driven protection secures endpoints and cloud collaboration, and our intelligent detection and response are powered by experts who identify business risks by proactively hunting for threats and confronting live attacks. Our consultants partner with enterprises and tech challengers to build resilience through evidence-based security advice. With more than 30 years of experience in building technology that meets business objectives, we’ve built our portfolio to grow with our partners through flexible commercial models.

WithSecure™ Corporation was founded in 1988, and is listed on NASDAQ OMX Helsinki Ltd.