The Terrifying Malware Targeting Meta Ad Accounts

Millions lost, and still the Ducktail malware continues to sow chaos with online media buyers. Plus: Pinterest pins its hopes on the clean room. Twitter's latest round of layoffs... And more!

Ducktail: The Malware Targeting Meta Ad Accounts

It is the malware that's terrifying digital marketers. It's called Ducktail — and, with a pinch of social engineering, it can get into your Meta ad accounts and start spending millions of dollars on your company's credit card.

And if you think two-factor authentication will save you, you're wrong, because this exploit can even get past hardware keys like Yubico.

It happened to MTA Digital, a performance ad agency in Poland. Paweł Skibiński leads paid social there. They noticed the hack when a colleague was at a workshop, showing their biggest client some of their campaign performance.

Paweł: He saw that something was wrong with the naming of the campaigns. And he [said] "Wait a minute, these are not our campaigns." Then we just ended the workshop.

The hackers had gotten in, essentially ignoring their two-factor authentication, and started spending. More than a million dollars.

Paweł: It was using a browser plugin — some of the plugins [were] hacked, and they used that to get access.

Tod: But what did the plugin's functionality purport to do? Like, presumably you didn't download a plugin for your browser called "Let us into your Facebook account." What did it pretend to be on its way in?

Paweł: This was some kind of grammar plugin, but it was [one] of the normal ones. So it wasn't that suspicious.... With some plugins, they want more access to the website than the other ones. 

We now have a very strict list of plugins that we can use on the browser that we are logged into company accounts in.

For example, the TikTok pixel helper, we don't use it on those accounts, because it just asks for too much. And last time I checked Twitter's pixel helper — it was like more than two years ago — but at that time, it was also just asking for too much.

Then, they got hacked a second time. But this time, the hackers didn't even need a browser plugin. Skibiński believes they were able to scrape the two-factor backup codes using an invisible web browser.

This weekend, our full conversation where Paweł and his colleague go step-by-step how they were hacked and what brands and agencies can do to protect themselves from this very scary malware.

That's coming tomorrow, exclusively to the Premium podcast feed, which you can sign up for at https://todayindigital.com/premium/

Pinterest Pins Hopes on the Clean Room Bandwagon

Pinterest is releasing some enhanced ad functionality ahead of the cookiepocalypse. 

The company has partnered with data platform LiveRamp to pilot clean rooms for select advertisers, which will let brands combine their own first-party data and data from Pinterest for ad targeting in a third-party space, without having to re-share info with Pinterest. The clean room software keeps data private, and provides aggregated insight into ad performance.

Pinterest emphasized that because the neutral clean room environment offers privacy controls, neither party’s personally identifiable sales and campaign data is visible to the other party. 

🍪 Looking Ahead

The company hopes the move will offer brands and advertisers an alternative tracking method as we move toward a cookieless future.

Pinterest said that grocery retailer Albertsons will be the first advertiser to test the new software, with more to follow.

Image: Pinterest

Twitter Lays Off Ad Platform Engineers

Let this sink in: While Twitter's ad revenue continues to tank, Elon Musk has now laid off engineers working on advertising.

The Information reported yesterday that roughly 40 data scientists and engineers who specialized in refining machine learning to optimize ads on the platform were let go Wednesday evening. The cuts follow the resignation of the company's product engineering lead earlier this week.

According to a source with direct knowledge of the layoffs, those impacted had been working on using machine learning to show Twitter users the most relevant ads based on their interests and behaviour on the platform. They added that the layoffs now leave very few engineers in this area. 

Image: Pexels

Commerce: Holiday Shoppers Set a Spend Record

Despite money woes, U.S. shoppers rang up a record of nearly $212 billion in e-commerce spending in November and December, up 3.5% from last year, according to a new Adobe Analytics report released yesterday. 

The report noted that price hikes and increased consumer demand fueled the spike. The company did not factor inflation into its sales growth figures but said there would still be underlying consumer demand growth if it had done so. 

Online toy sales saw the greatest increase compared to October 2022 at 206%, followed by:

  • Video games

  • Apparel and accessories

While smartphones accounted for nearly half of online sales.

👀 Shoppers Lured by Deep Discounts 

Adobe also reported record discounts this holiday season across major e-commerce categories:

  • Toys saw the biggest discounts with retailers marking down items by over 30%

  • Discounts on electronics hit 25%

💸 Big Spend = Big Debt

But, even with those big discounts more than a third of consumers took on debt to pay for their holiday purchases. 

A recent survey found that consumers racked up over $1,500 in debt, up nearly a quarter from 2021. One in 3 said it will take at least five months to pay off their debt. 

The majority of respondents said they didn't plan on taking on debt.

💳 BNPL 

The report also found that a quarter of respondents had used buy now, pay later services to finance their 2022 holiday shopping, down from a third last year. 

In terms of sources of holiday debt, BNPL platforms ranked second behind credit cards, while store credit cards ranked third.

(Data has been provided by LendingTree’s survey of over 700 consumers.)

Images: Adobe/LendingTree

TikTok Wants You To Get Your 8 Hours

TikTok is trying to save you from spiralling into a black hole while you should be catching some Zs. 

The platform confirmed today that it is testing new sleep reminders that include the option to set up alerts when it's your bedtime and to mute notifications while you sleep — which could be a welcome update for exhausted social media managers. 

There is no word yet on whether the feature will sing you to sleep with a lullaby. 

Image: Watchful.ai

Reply

or to participate.