Hackers Using Malicious Browser Extensions to Steal Facebook Business Accounts

It has come to light that Facebook Business accounts have been compromised through the use of harmful browser extensions developed by the notorious Ducktail family.

Ducktail is a specifically designed information stealer that can have severe consequences, such as privacy breaches, financial losses, and identity theft. Its constant updates enable it to bypass most Social Media platforms’ security measures, specifically targeting advertising and business accounts.

The main goal of the hack is to target the Facebook accounts of the organization’s employees who either hold fairly senior positions or work in HR, digital marketing, or social media marketing—as reported by Kaspersky.

Criminals send out malicious archives to their potential users; theme-based photos and video clips on a shared subject are available as bait in the archives.

Most of the archive’s email is based on fashions for instance, Large participants in the fashion business had emails sent out in their names that contained archives with pictures of clothing.

PDF is an executable file

PDF is an executable file

It appears that the document is formatted as a PDF file, but it contains malicious files that could cause harm to your computer.

Additionally, the file names have been carefully chosen to make them seem relevant and persuade the recipient to click on them. It is important to exercise caution when handling unknown files to avoid potential security risks.

Although the names in the fashion-themed campaign linked to “guidelines and requirements for candidates,” other forms of bait, such as pricing lists or commercial offers, might also be employed.

After opening the exe file first, in the hopes that the victim won’t notice anything strange, it does show the contents of a PDF file that the malicious code has embedded in it.

Notably, at the same time, the malware scans all the shortcuts of the desktops, the Start menu, and the Quick Launch toolbar.

It looks for shortcuts to browsers running on the Chromium platform, like Microsoft Edge, Vivaldi, Brave, and Google Chrome. Once it has located one, the virus modifies the executable file’s command line to include an instruction to install a browser extension.

After that, the malicious script terminates the browser process, prompting the user to restart it using one of the modified shortcuts and fake extension download in their systems, where it uses the identical symbol and description to pass for Google Docs Offline.

Fake original

                     Fake                                                    original

The browser’s active session cookies, which allow for the unauthenticated login to Facebook accounts, are also stolen by the extension from Facebook accounts that are logged into the victim’s device.


  • When downloading files from suspicious sites, it is advisable to avoid doing so on official work computers.
  • Carefully check the extensions of all files downloaded from the internet or email before opening them.
  • A file with an EXE extension that appears to be a legitimate document should never be clicked on since it is malicious software.

Leave a comment