A new form of the Carberp Trojan, which tricks users into committing financial fraud via e-cash vouchers, is now targeting Facebook users, according to researchers at Trusteer.
Attacking social networks like Facebook provides cybercriminals with a large pool of victims that can be fairly easily tricked into divulging confidential account information, and even, as illustrated in this case, giving up their cash
Amit Klein, CTO of Trusteer
The malware is used in a man-in-the-browser (MitB) attack, which exploits the trust users have with Facebook and the anonymity of e-cash vouchers, wrote Amit Klein, CTO of Trusteer, in a recent blog post about the Carberp Trojan. Klein said the Trojan replaces a Facebook page with a fake page that notifies users that their account has been “temporarily locked” and can be unlocked by providing personal information and an e-cash voucher worth approximately $25.
That money is supposed to be added to the users Facebook account balance, according to the malicious page. After taking the victim’s first and last name, email address, birthdate and Facebook password, the e-cash voucher number is transferred to the Carberp bot master, Klein wrote.
This man-in-the-browser attack is particularly dangerous, said Klein, because it cannot be tracked. The Trojan is extremely stealthy, protected by several layers of antimalware detection and uses rootkit techniques to avoid being found. Once the vouchers are acquired, they can essentially be used as cash anywhere they are accepted on the Internet, leaving no auditable trail.
“Attacking social networks like Facebook provides cybercriminals with a large pool of victims that can be fairly easily tricked into divulging confidential account information, and even, as illustrated in this case, giving up their cash,” Klein wrote.
Carberp surfaced last October as a promising new spyware family that could rival the Zeus or SpyEye malware. It uses a new evasion technique of deliberately dropping a copy of itself and its component files in directories that do not require administrator privileges. The technique defeats Windows 7 and Vista’s User Account Control (UAC) feature, according to researchers at Trend Micro Inc.
This is not the first time Facebook has been attacked by hackers. Although the new Carberp Trojan is of a different nature, other attacks have been used in the past to exploit the popular social network.
Earlier this month, a Ramnit worm that pilfered credentials was discovered, creating a problem for companies whose employees use the same login information for their Facebook that they use for their corporate accounts.
Other worms have also been used to log into Facebook accounts and, presented as a .jpg file representing a screensaver, drop malicious code into the system when opened. Still another attack memorably posted explicit and often violent pornography on some users profile pages.
With each attack comes an effort by Facebook to fix the vulnerabilities in their system, but Klein says that with the increasing popularity of e-cash vouchers, “we expect to see more of these attacks.”