The cybercriminals behind the notorious Ramnit malware may have been successful in stealing more than 45,000 Facebook credentials, but a spokesperson with the social network said many of those account credentials were invalid.
Thus far , we have not seen the virus propagating on Facebook itself, but have begun working with our external partners to add protections to our antivirus systems to help users secure their devices.
“We have initiated remedial steps for all affected users to ensure the security of their accounts,” the Facebook spokesperson said in an email. “Thus far, we have not seen the virus propagating on Facebook itself, but have begun working with our external partners to add protections to our antivirus systems to help users secure their devices.”
Researchers keeping close watch on the Ramnit worm, which is responsible for targeting financial institutions globally, discovered a cache of Facebook credentials and alerted the social network to the growing threat earlier this month. The files containing the credentials had no active timestamps, yielding no clues as to how long the data had been sitting on the rogue server, said Aviv Raff, CTO of Israel-based security threat services firm Seculert.
“It’s still active in that we’re still seeing the file being updated in real time,” Raff said.
The Facebook accounts were mainly from users in the U.K. and France. Raff said it is likely that the cybercriminals are conducting attack campaigns targeted to gain access to bank accounts in those countries. In addition to Facebook credentials, the server contained banking usernames and passwords, according to Raff. He declined to say how many stolen banking credentials were discovered.
Facebook, which boasts 800 million active users, has a mixture of security technology and an active security response team to detect anomalous account activity that could signal a fast moving threat on its network. When an account is flagged, the social network alerts affected users and can temporarily lock-out an account until the user takes remedial action. The company also partnered with McAfee in 2010 to improve its account remediation processes.
About 1 million infected machines make up the Ramnit botnet. The malware, which started out stealing FTP credentials, was converted into a financial threat last year when the Zeus and SpyEye source code became public. Raff said the latest variant adds the social networking feature in an attempt to spread the worm and grow the botnet. The Koobface worm started spreading on Facebook and then spread to Twitter and LinkedIn accounts, so researchers can’t rule out that the Ramnit authors will target other social networks.