Nov 18 2022

Oops! Meta Security Guards Hacked Facebook Users

Category: Social networkDISC @ 1:29 pm

Facebook parent Meta has disciplined or fired at least 25 workers for allegedly hacking into user accounts. Some of the workers were contract security guards, we’re told.

Wait … disciplined or fired? How were they not all fired? And prosecuted? And how come security guards have access to Facebook’s internal account-recovery tools?

All these questions and more will be asked in today’s SB Blogwatch. Please tell me it’s the weekend tomorrow.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Hello there.

‘Oops’ not Even the Half of It

What’s the craic? Kirsten Grind, Robert McMillan, Salvador Rodriguez and Jim Oberman tag team to report—“Employees, Security Guards Fired for Hijacking User Accounts”:

“Workers accepted thousands of dollars in bribes”
Meta … has fired or disciplined more than two dozen employees and contractors over the last year whom it accused of improperly taking over user accounts, in some cases allegedly for bribes. … Some of those fired were contractors who worked as security guards [who] were given access to the Facebook parent’s internal mechanism for employees to help users having trouble with their accounts … known internally as “Oops.”

Oops, an acronym for Online Operations, is supposed to be fairly limited to special cases, like friends, family, business partners and public figures, but its usage has climbed. … In 2020, the channel serviced about 50,270 tasks, up from 22,000 three years earlier.

Tags: Facebook security, Hacked Facebook Users, Meta

Jul 27 2022

DUCKTAIL operation targets Facebook’s Business and Ad accounts

Category: Access Control,App Security,AuthenticationDISC @ 8:29 am

Researchers uncovered an ongoing operation, codenamed DUCKTAIL that targets Facebook Business and Ad Accounts.

Researchers from WithSecure (formerly F-Secure Business) have discovered an ongoing operation, named DUCKTAIL, that targets individuals and organizations that operate on Facebook’s Business and Ads platform.

Experts attribute the campaign to a Vietnamese financially motivated threat actor which is suspected to be active since 2018.

“Our investigation reveals that the threat actor has been actively developing and distributing malware linked to the DUCKTAIL operation since the latter half of 2021. Evidence suggests that the threat actor may have been active in the cybercriminal space as early as late 2018.” reads the report published by the experts.

The threat actors target individuals and employees that may have access to a Facebook Business account, they use an information-stealer malware that steals browser cookies and abuse authenticated Facebook sessions to steal information from the victim’s Facebook account.

The end goal is to hijack Facebook Business accounts managed by the victims.

The threat actors target individuals with managerial, digital marketing, digital media, and human resources roles in companies. The attackers connected the victims through LinkedIn, some of the samples observed by the experts have been hosted on file or cloud hosting services, such as Dropbox, iCloud, and MediaFire.

WithSecure researchers noticed that samples employed in the DUCKTAIL operation were written in .NET Core and were compiled using its single file feature. This feature bundles all dependent libraries and files into a single executable, it also includes the main assembly. Experts pointed out that the usage of .NET Core and its single-file feature is uncommon in malware development.

The use of .Net Core allows the attackers to embed Telegram.Bot client as well as any other external
dependencies into a single executable and use Telegram channels as Command and Control (C&C).

“Since late last year, the threat actor has shifted entirely to using Telegram as their C&C channel making use of the Telegram Bot functionality. Currently, the adversary only exfiltrates stolen information through the C&C channel and no commands are sent from the C&C to the victim’s machine other than potentially sending e-mail addresses for business hijacking purposes.” continues the report.

In order to steal Facebook session cookies from the victims, the malware scans the machine for popular browsers, including Google Chrome, Microsoft Edge, Brave Browser, and Firefox. For each of the browsers that it finds, it extracts all the stored cookies, including any Facebook session cookie.

The malware also steals information from the victim’s personal Facebook account, including name, email address, date of birth, and user ID, along with other data such as 2FA codes, user agents, IP address, and geolocation


Once obtained the above data, the attackers can access to the victim’s personal account, hijack it by adding their email address retrieved from the Telegram channel and grant themselves Admin and Finance editor access.

“They can edit business credit card information and financial details like transactions, invoices, account spend and payment methods. Finance editors can add businesses to your credit cards and monthly invoices. These businesses can use your payment methods to run ads.” states the report.

Countries affected by DUCKTAIL samples analyzed by the experts includes US, India, Saudi Arabia, Italy, Germany, Sweden, Finland, and the Philippines.

“WithSecure cannot determine the success, or lack thereof, that the threat actor has had in circumventing Facebook’s existing security features and hijacking businesses.” concludes the report. “However, the threat actor has continued to update and push out the malware in an attempt to improve its ability to bypass existing/new Facebook security features alongside other implemented features.”

Facebook Business administrators are recommended to check access permissions for their business accounts and remove any unknown users.

Security Manual. Whatsapp and FacebookSecurity Manual. Whatsapp and FacebookSecurity Manual. Whatsapp and Facebook

Tags: DUCKTAIL operation, Facebook security, Security Manual

Jul 27 2020

Facebook’s ‘Red Team’ Hacks Its Own AI Programs

Category: Hacking,Threat detection,Threat ModelingDISC @ 1:20 pm

Attackers increasingly try to confuse and bypass machine-learning systems. So the companies that deploy them are getting creative.

Source: Facebook’s ‘Red Team’ Hacks Its Own AI Programs

Tags: AI Programs, Facebook security, Fcaebook InfoSec, Red team