A new configuration of the Carberp Trojan that targets Facebook users to commit financial fraud. Unlike previous Facebook attacks designed to steal user credentials from the log-in page, this version attempts to steal money by duping the user into divulging an e-cash voucher.
Carberp replaces any Facebook page the user navigates to with a fake page notifying the victim that his/her Facebook account is “temporarily locked”. The page asks the user for their first name, last name, email, date of birth, password and a Ukash 20 euro (approximately $25 US) voucher number to “confirm verification” of their identity and unlock the account. The page claims the cash voucher will be “added to the user’s main Facebook account balance”, which is obviously not the case. Instead, the voucher number is transferred to the Carberp bot master who presumably uses it as a cash equivalent (Ukash provides anonymity similar to that offered by cash payments), thus effectively defrauding the user of 20 euro/$25.
This clever man-in-the-browser (MitB) attack exploits the trust users have with the Facebook website and the anonymity of e-cash vouchers. Unlike attacks against online banking applications that require transferring money to another account which creates an auditable trail, this new Carberp attack allows fraudsters to use or sell the e-cash vouchers immediately anywhere they are accepted on the internet.
Attacking social networks like Facebook provides cybercriminals with a large pool of victims that can be fairly easily tricked into divulging confidential account information, and even, as illustrated in this case, giving up their cash. With the growing adoption of e-cash on the internet, we expect to see more of these attacks. Like card not present fraud, where cybercriminals use stolen debit and credit card information to make illegal online purchases without the risk of being caught, e-cash fraud is a low risk form of crime. With e-cash, however, it is the account holder not the financial institution who assumes the liability for fraudulent transactions.
A new, unique type of phishing attack targeted against online banking customers was recently discovered by the RSA FraudAction Research Lab. RSA has coined this as a “Chat-in-the-Middle” phishing attack and it is first executed through routine means but then presents a more advanced layer of perpetrating online fraud. The phishing attack may dupe bank customers into entering their usernames and passwords into an ordinary phishing site but the addition of a bogus live chat support window can obtain even more credentials via a live chat session initiated by fraudsters.
During the live chat session, the fraudster behind the attack presents himself as a representative of the bank’s fraud department and attempts to dupe customers who are online into divulging sensitive information – such as answers to secret questions that are used for online customer authentication. This attack is currently targeting a single U.S.-based financial institution.
Upon detecting the attack RSA immediately informed the affected financial institution and commenced a standard phishing attack shut-down procedure through the RSA Anti-Fraud Command Center and its RSA FraudAction service. (RSA cannot identify this bank in order to protect its security and privacy.) The attack is hosted on a well-known fast flux network for “hire” from fraudster to fraudster, which hosts a wealth of malicious websites such as phishing attacks, Trojans infection points, mule recruitment websites, and more.
Source: RSA FraudAction Research Lab
It would be easy to think that once someone has logged in successfully to Facebook—and not a phishing site—that the security threat is largely gone. However, that’s not quite the case, as we’ve seen before.
Earlier this week, however, Trend Micro researcher Rik Ferguson found at least two—if not more—malicious applications on Facebook. (These were the Posts and Stream applications.) They were used for a phishing attack that sent users to a known phishing domain, with a page claiming that users need to enter their login credentials to use the application. The messages appear as notifications in a target user’s legitimate Facebook profile.
After entering the credentials, users would then be redirected to Facebook itself.
While Trend Micro has informed Facebook of these findings, users should still exercise caution when entering login credentials. They should be doubly sure that these are being entered into legitimate sites, and not carefully crafted phishing sites. The particular site involved in this phishing attack is already blocked by the Smart Protection Network.
Source: TrendLabs Malware Blog
There has been a phishing scheme running around on Twitter this weekend.
But, so far, it’s a relatively easy one to avoid becoming a victim of.
Here are some tips on the phishing mess.
First, it is okay to check your DMs on Twitter.
You don’t need to be afraid to check them. But, be careful about any links in messages from others, even if you know them.
You won’t be affected by the scam just by reading your DMs.
For people using OpenDNS or Firefox 3, it appears that both of those are now blocking the phishing site. But, still be careful out there.
The short of it is that you should be careful, but don’t become irrational over the phishing attack.
Here are the known URLs of the phishing attack:
Source : dcr Blogs
Christopher Boyd, Director of FaceTime Security Labs, a malware research firm, has found a list of hacked eBay logins.
The list includes 121 pages and carries 5,534 eBay accounts, including usernames, passwords and mail address, as reported by ecommerceguide on October 15, 2008.
As per reports, some of the stolen accounts were inactive, but also included active accounts.
There number was more than enough to caution eBay members that they should protect their account.
Also, the list of stolen account is probably the outcome of phishing scams targeted at eBay, wherein attackers send fake mails claiming to come from eBay to deceive users into revealing their private details.
The report also informs that many accounts are of recently registered users or users having small feedback scores as these users do not access eBay often.
This makes them the most promising targets for hackers.
Source : SpamFighter