Your Meta Account Has Been Hacked -- What Now?
On Thursday, May 25th we at oakpool lost control of a number of Meta Business Suites due to a malicious attack by hackers. In total, 6 clients had 12 ad accounts affected, and we were able to resolve and remove all malicious actors within 4 days, and most within 48 hours. In the digital world, it is somewhat a matter of inevitability that there will at some point be a hack or breach of security. At oakpool’s beginning, we could not have imagined the scale and sophistication at which this type of cyber terror is now being perpetrated.
This is one of those things that you think will never happen to you, until it does.
In the subsequent days and weeks that followed our hack, we spoke with a number of security consultants, agencies, and other victims of these attacks. We made an alarming discovery that these sorts of attacks are widespread, and have therefore decided to write this article in order to spread awareness and outline a plan of action if this should happen to you or your clients.
We were alarmed that the breach had come from a compromised internal email account with admin access to each affected account. This was not through any malintent or incomplete security protocols - but a phishing scheme and one misplaced click on a link sent to one of our associates. We quickly moved past any non-productive “blame games” and accepted that this could happen to any one of us, agency or client side.
These hackers employ a process called “malverposting”, defined below.
“Malverposting refers to the use of promoted social media posts on services like Facebook and Twitter to mass propagate malicious software and other security threats. The idea is to reach a broader audience by paying for ads to ‘amplify’ their posts.” - Hacker News
In effect, hackers gain access to an ad account and spend as much as they can on a self-promoting and self-propagating ad that amplifies and extends the reach of their virus. In turn, this gains them access to more ad accounts in a snowball effect.
The specific Hack that we incurred, and seems to be affecting others these days is called “The Ducktail Virus.”
This is not anything new in concept, although has gotten far more sophisticated in recent months with a particular wave affecting US, UK, Australia, Canada, and Indian Meta Business Suite Accounts. We are constantly aware of this threat at oakpool, and have always taken prerequisite measures to ensure that our employees and associates are armed and protected with the extent of the security tools that Meta has to offer (2 Factor Authentication and more recently Facebook Protect). We also mandate a password change every 6 months. As has become apparent, this was not enough to ward off this attack.
Once the attack became apparent, we had all hands on deck identifying and removing the compromised account from all Meta Business Suites that we manage. We suspended the account from our server and isolated or blocked off all other exposed endpoints.
We immediately alerted all clients to the breach, and advised them to lock or suspend their FB payment methods to minimize damage and encourage the hackers to lose interest. We had all hands send multiple support requests (over 20) to Meta Business Support, which is infamously hard to get help from and especially so in the aftermath of the Meta layoffs. We worked any backchannels we had with Meta to escalate this critical matter and get these issues resolved as soon as humanly possible. This included past support tickets, college friends and acquaintances who work at Meta, colleagues with Meta connections and so on. Nothing and nobody was off limits.
In the event that the above measures do not prevent a hack, take the following steps.
1. In Business Manager, click Help icon at bottom left
2. 'Create New Case'
3. "It's something else"
4. "Other Issues"
5. Select the disabled ad account & choose "Other ad account issue"
6. Choose Chat support if they're online, that has been fastest for us. Email works if not, you should hear back within 24 hours. This below script has worked, tweak as needed. And, be sure to attach a screenshot of the disabled ad account.
Copy & paste the following note into the messaging box:
Last week, a Facebook account with access to our business manager was compromised. You were able to remove the malicious users and return access back to us, thank you immensely for that.
The only piece left to resolve is that our ad account remains disabled. Our business manager account is all clear at this point, and we're hoping to regain access to the ad account asap to begin advertising again. Thank you for your help in expediting this."
If you're currently experiencing a hack, we hope this has been helpful. If you haven't yet, we hope this has served as a cautionary tale. If you're looking for an advertising agency, you know where to find us.