On Thursday, May 25th we at oakpool lost control of a number of Meta Business Suites due to a malicious attack by hackers. In total, 6 clients had 12 ad accounts affected, and we were able to resolve and remove all malicious actors within 4 days, and most within 48 hours. In the digital world, it is somewhat a matter of inevitability that there will at some point be a hack or breach of security. At oakpool’s beginning, we could not have imagined the scale and sophistication at which this type of cyber terror is now being perpetrated. 

‍

This is one of those things that you think will never happen to you, until it does.

‍

In the subsequent days and weeks that followed our hack, we spoke with a number of security consultants, agencies, and other victims of these attacks. We made an alarming discovery that these sorts of attacks are widespread, and have therefore decided to write this article in order to spread awareness and outline a plan of action if this should happen to you or your clients.

‍

‍

What Happened

‍

‍

We were alarmed that the breach had come from a compromised internal email account with admin access to each affected account. This was not through any malintent or incomplete security protocols - but a phishing scheme and one misplaced click on a link sent to one of our associates. We quickly moved past any non-productive “blame games” and accepted that this could happen to any one of us, agency or client side.

‍

These hackers employ a process called “malverposting”, defined below.

‍

“Malverposting refers to the use of promoted social media posts on services like Facebook and Twitter to mass propagate malicious software and other security threats. The idea is to reach a broader audience by paying for ads to ‘amplify’ their posts.” - Hacker News

‍

In effect, hackers gain access to an ad account and spend as much as they can on a self-promoting and self-propagating ad that amplifies and extends the reach of their virus. In turn, this gains them access to more ad accounts in a snowball effect.

‍

The specific Hack that we incurred, and seems to be affecting others these days is called “The Ducktail Virus.”

‍

This is not anything new in concept, although has gotten far more sophisticated in recent months with a particular wave affecting US, UK, Australia, Canada, and Indian Meta Business Suite Accounts. We are constantly aware of this threat at oakpool, and have always taken prerequisite measures to ensure that our employees and associates are armed and protected with the extent of the security tools that Meta has to offer (2 Factor Authentication and more recently Facebook Protect). We also mandate a password change every 6 months. As has become apparent, this was not enough to ward off this attack.

‍

‍

What We Did About It

‍

‍

Once the attack became apparent, we had all hands on deck identifying and removing the compromised account from all Meta Business Suites that we manage. We suspended the account from our server and isolated or blocked off all other exposed endpoints.

‍

We immediately alerted all clients to the breach, and advised them to lock or suspend their FB payment methods to minimize damage and encourage the hackers to lose interest. We had all hands send multiple support requests (over 20) to Meta Business Support, which is infamously hard to get help from and especially so in the aftermath of the Meta layoffs. We worked any backchannels we had with Meta to escalate this critical matter and get these issues resolved as soon as humanly possible. This included past support tickets, college friends and acquaintances who work at Meta, colleagues with Meta connections and so on. Nothing and nobody was off limits.

‍

‍

What This Means For You

‍

• Stay on and continue to follow up on Meta support tickets. Constant communication is the key here, and we’ve found that the squeakiest wheel gets the grease in these situations.
• It is Meta’s policy to reimburse any budget spent as a result of a hack. Minimize their spending abilities by freezing your associated ads payment method, but don’t get too caught up in the size of ad spend.
• It is not the standard practice of these hackers to create organic posts (Hacker News source). They operate by connecting their page or asset to your ad account, thereby minimizing Brand Safety risks - for now.
• Remove the compromised account from Google Ads, LinkedIn, Snapchat, TikTok, and Pinterest ad accounts. Even if there is no obvious sign of breach here (this scheme is historically perpetrated only on Meta accounts), but don’t take any chances.
• With an admin, contributor, editor, or analytics role on your Business Suite, you are not personally affected by this hack. As far as this breach is concerned, your personal data is safe. 

‍

‍

Preventative Measures and Action Plan for Future Hacks

‍

‍

Preventative Measures

‍

1. 2 Factor Authentication and Facebook Protect for everyone who has access to your Meta account. Individuals can turn both of these on in Settings on their personal accounts. Instructions here. You will also see prompts to enable Facebook Protect on the same page. We recommend Meta Verified for everyone, but at least for those in an Admin role.
2. Remove any unnecessary admins or users from your account. Past agencies, ex employees, or anyone non essential to the daily operations of your account is just another potential access point for any bad actors. Minimize your exposure to this.
3. Do not click any links from anyone you don’t know. It seems obvious, but this hack came from an exchange one of our associates had with a very legitimate sounding request for marketing services. At the end of the exchange, the hacker sent a link to see their existing marketing materials. This link contained the virus that entered our system.
4. Store your Business Manager IDs and Account IDs offline. You will need them to push your case with Meta Support, and you may not be able to access that information once the hackers have pushed you out of your account.
5. Cyber insurance. This past week highlighted the importance of business and personal protection in the digital world, no matter what security steps we take to prevent hackers. We use StartSure, and have been very happy with their service.

‍

In the event that the above measures do not prevent a hack, take the following steps.

‍

‍

Process For Any Future Hacking Incidents

‍

1. Identify & Remove. Identify the compromised account and remove it from all business endpoints in your digital stack. You can check for which account has been compromised by looking at the activity log in a campaign made by a hacker, found in Meta Ads Manager.
2. Appeal to Meta. Submit multiple tickets to the Meta Help Desk and include your Business Manager ID. Write this down now on a piece of paper. We fortunately already had these in a spreadsheet for each client which was able to greatly increase our ability to resolve this quickly. Here is the form for submitting a ticket.
3. Fight Back. If you still have access to the account, fight back in real time by turning off and deleting campaigns made by the hackers. Facebook’s AI will usually flag errors or irregularities (high spend, strange ad content) made by the hackers, but we saw this fail on a few occasions during our hack.
4. Back Channel. Call us or anyone you know at Meta to escalate your Case Number that will be generated after submitting a form in Step 3. Friends of friends, college roommate’s girlfriend, or a person you met once at a conference are all fair game in an emergency situation like this. Typical turnaround time for a prioritized Meta Business ticket is 48 hours, but we were able to expedite this by reaching out to personal connections who work at Meta.

‍

‍

Getting Your Ad Account Back

‍

1. In Business Manager, click Help icon at bottom left

‍

2. 'Create New Case'

‍

3. "It's something else"

‍

4. "Other Issues"

‍

5. Select the disabled ad account & choose "Other ad account issue"

‍

6. Choose Chat support if they're online, that has been fastest for us.  Email works if not, you should hear back within 24 hours.  This below script has worked, tweak as needed.  And, be sure to attach a screenshot of the disabled ad account.

Copy & paste the following note into the messaging box:

‍

"Hi,

‍

Last week, a Facebook account with access to our business manager was compromised.  You were able to remove the malicious users and return access back to us, thank you immensely for that.

‍

The only piece left to resolve is that our ad account remains disabled. Our business manager account is all clear at this point, and we're hoping to regain access to the ad account asap to begin advertising again. Thank you for your help in expediting this."

‍

If you're currently experiencing a hack, we hope this has been helpful. If you haven't yet, we hope this has served as a cautionary tale. If you're looking for an advertising agency, you know where to find us.