The threat actor known as Ducktail has been making significant profits by selling compromised business and ad accounts on various social media platforms. According to researchers from Zscaler, the value of these accounts can range from around 350,000 Vietnamese dong (~$15 USD) for low-grade accounts to approximately 8,000,000 Vietnamese dong (~$340 USD) for more valuable ones.
Ducktail, a group based in Vietnam, primarily targets individuals working in the digital marketing and advertising sector who have access to business and ad accounts on platforms like TikTok, Facebook, LinkedIn, and Google. The group’s preferred method is to social-engineer their targets into downloading and running information-stealing malware.
To initiate contact, Ducktail often compromises LinkedIn accounts and poses as recruiters, luring victims with fake job listings. They also send email attachments containing malicious executables disguised as job application packages. These executables are capable of stealing saved session cookies from browsers, allowing the threat actors to gain unauthorized access to the victims’ accounts.
In some cases, Ducktail plants their payloads in the form of Excel add-ins or browser extensions. These malicious archives are hosted on cloud hosting services such as iCloud, Google Drive, Dropbox, Transfer.sh, and OneDrive. Additionally, the group has been known to utilize Trello, a project management platform, as a cloud hosting service.
The threat actors employ various tactics to deceive their targets. They create counterfeit versions of AI tools like ChatGPT or set up web pages masquerading as marketing guides and software, all of which serve as vehicles for info-stealers.
Upon successfully compromising a victim’s business or ad account, Ducktail adds their own email address to the account and sometimes changes the password and associated email address. To escape detection, they use private residential proxy services while logging into the compromised accounts. This allows them to present a geolocated IP address matching the victim’s location, making it harder for platforms’ defenses to identify the unauthorized access.
Once they gain control over the accounts, the threat actors sell access to them through various platforms including Telegram, Facebook, and Zalo, a Vietnamese messaging app. Stolen accounts are also traded on an underground market based in Vietnam. Both vendors and buyers look for specific properties in the accounts such as the type of account (personal or business manager), daily ad budget, payment threshold, verification status, and longevity. Older accounts tend to be more valuable.
Facebook, one of the targeted platforms, has implemented measures to combat threat actors like Ducktail by automatically flagging suspicious accounts. This puts pressure on the threat actors to prolong the lifespan of compromised ad accounts. As a result, not all hacked Facebook accounts hold the same value in the underground market. Depending on specific properties, an account may range from highly valuable to nearly worthless to potential buyers.
In conclusion, Ducktail has established a lucrative underground economy by specializing in the sale of compromised business and ad accounts on social media platforms. Their tactics involve social engineering, the use of malware, and sophisticated techniques to maintain access to hijacked accounts. The illegal trade of these accounts on various communication platforms and underground markets highlights the challenge faced by platforms and individuals in securing their social media presence and digital assets.