The Terrifying Malware Targeting Meta Ad Accounts

Ducktail: The Malware Targeting Meta Ad Accounts

It is the malware that’s terrifying digital marketers. It’s called Ducktail — and, with a pinch of social engineering, it can get into your Meta ad accounts and start spending millions of dollars on your company’s credit card.

And if you think two-factor authentication will save you, you’re wrong, because this exploit can even get past hardware keys like Yubico.

It happened to MTA Digital, a performance ad agency in Poland. Paweł Skibiński leads paid social there. They noticed the hack when a colleague was at a workshop, showing their biggest client some of their campaign performance.

Paweł: He saw that something was wrong with the naming of the campaigns. And he [said] “Wait a minute, these are not our campaigns.” Then we just ended the workshop.

The hackers had gotten in, essentially ignoring their two-factor authentication, and started spending. More than a million dollars.

Paweł: It was using a browser plugin — some of the plugins [were] hacked, and they used that to get access.

Tod: But what did the plugin’s functionality purport to do? Like, presumably you didn’t download a plugin for your browser called “Let us into your Facebook account.” What did it pretend to be on its way in?

Paweł: This was some kind of grammar plugin, but it was [one] of the normal ones. So it wasn’t that suspicious…. With some plugins, they want more access to the website than the other ones. 

We now have a very strict list of plugins that we can use on the browser that we are logged into company accounts in.

For example, the TikTok pixel helper, we don’t use it on those accounts, because it just asks for too much. And last time I checked Twitter’s pixel helper — it was like more than two years ago — but at that time, it was also just asking for too much.

Then, they got hacked a second time. But this time, the hackers didn’t even need a browser plugin. Skibiński believes they were able to scrape the two-factor backup codes using an invisible web browser.

This weekend, our full conversation where Paweł and his colleague go step-by-step how they were hacked and what brands and agencies can do to protect themselves from this very scary malware.