A new configuration of the Carberp Trojan that targets Facebook users to commit financial fraud. Unlike previous Facebook attacks designed to steal user credentials from the log-in page, this version attempts to steal money by duping the user into divulging an e-cash voucher.
Carberp replaces any Facebook page the user navigates to with a fake page notifying the victim that his/her Facebook account is “temporarily locked”. The page asks the user for their first name, last name, email, date of birth, password and a Ukash 20 euro (approximately $25 US) voucher number to “confirm verification” of their identity and unlock the account. The page claims the cash voucher will be “added to the user’s main Facebook account balance”, which is obviously not the case. Instead, the voucher number is transferred to the Carberp bot master who presumably uses it as a cash equivalent (Ukash provides anonymity similar to that offered by cash payments), thus effectively defrauding the user of 20 euro/$25.
This clever man-in-the-browser (MitB) attack exploits the trust users have with the Facebook website and the anonymity of e-cash vouchers. Unlike attacks against online banking applications that require transferring money to another account which creates an auditable trail, this new Carberp attack allows fraudsters to use or sell the e-cash vouchers immediately anywhere they are accepted on the internet.
Attacking social networks like Facebook provides cybercriminals with a large pool of victims that can be fairly easily tricked into divulging confidential account information, and even, as illustrated in this case, giving up their cash. With the growing adoption of e-cash on the internet, we expect to see more of these attacks. Like card not present fraud, where cybercriminals use stolen debit and credit card information to make illegal online purchases without the risk of being caught, e-cash fraud is a low risk form of crime. With e-cash, however, it is the account holder not the financial institution who assumes the liability for fraudulent transactions.
Much has been written about the Ramnit worm and its transformation into a financial malware. And now, Seculert’s research lab has discovered that Ramnit recently started targeting Facebook accounts with considerable success, stealing over 45,000 Facebook login credentials worldwide, mostly from people in the UK and France.
Discovered in April 2010, the Microsoft Malware Protection Center (MMPC) described Ramnit as “a multi-component malware family which infects Windows executable as well as HTML files”, “stealing sensitive information such as stored FTP credentials and browser cookies”. In July 2011 a Symantec report estimated that Ramnit worm variants accounted for 17.3 percent of all new malicious software infections.
In August 2011, Trusteer reported that Ramnit went ‘financial’. Following the leakage of the ZeuS source-code in May, it has been suggested that the hackers behind Ramnit merged several financial-fraud spreading capabilities to create a “Hybrid creature” which was empowered by both the scale of the Ramnit infection and the ZeuS financial data-sniffing capabilities.
With the recent ZeuS Facebook worm and this latest Ramnit variant, it appears that sophisticated hackers are now experimenting with replacing the old-school email worms with more up-to-date social network worms. As demonstrated by the 45,000 compromised Facebook subscribers, the viral power of social networks can be manipulated to cause considerable damage to individuals and institutions when it is in the wrong hands.
Seculert has provided Facebook with all of the stolen credentials that were found on the Ramnit servers.
A new social networking worm in the vein of Koobface is currently doing the rounds.
Unlike the majority of Facebook scams, this one actively infects your computer with malware instead of simply tricking you into taking surveys and passing on messages to other users.
The link in his Facebook chat from a friend pointed to an app.facebook.com/CENSORED link. Typically when you go to a Facebook app page it prompts you to add the application and grant it permission to post on your behalf or read your profile data. The scary part about this one is that it immediately prompts you to download a “FacebookPhotos#####.exe” file with no prompting or clicking required.
The screen reads “Photo has been moved. This photo has been moved to other location. To view this photo click View Photo.” If your computer has not already downloaded the malware, the “View Photo” button will download the virus for you.
It is really unfortunate that Facebook scams are moving back towards spreading malware. Fortunately, users of Sophos Anti-Virus had proactive protection from this threat with both our HIPS and suspicious file detection technologies; this particular strain is now identified by Sophos as W32/Palevo-BB.
The good news is that, Facebook removed the malicious application from its service. But there are probably many more applications like this one making the rounds, so, as always, beware of unusual messages from friends whether they are in email, on their walls, or in an instant message.