Bank Trojan botnet targets Facebook users

On the heels of one fake Facebook e-mail scam, a researcher warned on Wednesday of another such campaign in which users of the popular social network are being tricked into revealing their passwords and downloading a Trojan that steals financial data.

In the latest scam being blasted to e-mail in-boxes, a legitimate-looking Facebook notice asks people to provide information to help the social network update its log-in system, said Fred Touchette, a senior security analyst at AppRiver. When the user clicks the "update" button in the e-mail, they are directed to a fake Facebook log-in screen where their user name is filled in and they are prompted to provide their password.

This is a screen shot of the message in the body of the fake Facebook e-mail.

(Credit: AppRiver)

When they provider that information, victims are taken to a page that offers an "Update Tool," but that is actually the Zeus bank Trojan that is designed to steal financial and personal data, Touchette said.

Users of smart phones that have the Facebook app installed can also easily be duped because the phishing e-mail appears as an actual Facebook notification complete with Facebook icon, he said. The message is received in the e-mail in-box on the phone as well as under the Facebook notification section in the app itself, he added.

There are likely to be a lot of victims given how many e-mails the scammers are sending. AppRiver has captured about 6 million e-mails in its filters and noticed that the messages were coming in at a rate of 30,000 a minute at one point, according to Touchette. That's about 10 times the usual botnet e-mail message rate, he said.

More details are on the AppRiver blog.

On Tuesday, researchers reported that a different botnet, Bredolab, was distributing fake "Facebook Password Reset Confirmation" e-mails that included a Trojan. As of late Wednesday night, security provider Cloudmark said it had seen more than 730,000 of the Bredolab-related e-mails.

To protect against such phishing attacks, people should be extremely cautious about clicking on links in e-mails and they can mouse over the link to see if the domain is a legitimate domain, Touchette said.

Meanwhile, Facebook users should easily be tipped off that the latest scam is just that, a scam, he said. "Facebook doesn't need all of its users to update their accounts in order for them to make changes to their site," he added.

If there is any question about the legitimacy of the e-mail or the link, users should close the e-mail and go directly to the site to check for important notices to customers, he said.

This is the prompt Facebook users get as part of the latest phishing scam. Downloading the "update tool" installs a Trojan.

(Credit: AppRiver)

[kaiman75]

Just more reason for me to not sign up for a Facebook account and do my banking the old-fashioned way - by mail!

[StayConfused]

Hmmmm. You don't use Facebook to do online banking

[WinNoMo]

Oh my. My Mac doesn't seem to have this feature. Must be because it is such a niche toy with low market share. I am tired of being left out of these great opportunities! Makes me really miss Windows..................

[Vegaman_Dan]

"Makes me really miss Windows.................."

Somehow I don't think anyone misses you though.

[Dalkorian]

Now now, this particular nasty is a trojan. True it's custom built for winblows, but the user has to install it first. No OS is proof against users installing programs, so I wouldn't recommend relying on OS X's improved security to keep you safe.

Never install programs sent unsolicited by email.

[Squeedle]

@kaiman75: That's clearly the best way, 'cause nobody ever steals checks sent through the mail, and mail never gets lost, either.

[Dalkorian]

Funny you mention that, when I need to (snail) mail something I *NEVER* use the mailbox in front of my house. I go to the local post office and mail from there. Just because I'm paranoid doesn't mean the world isn't out to get me.

;-)

[suzyq032951]

Yeah right. Mail never gets lost or stolen. That is why when I do mail a check, I take it straight to the post office, never mail from my home mail box. With on line banking, I can check as many times as I want and if I find a problem, I take it straight to the bank. Don't have to wait till the next statement to see what is going on with my bank accounts.

[gertruded]

Again the writer fails to tell us that this is a Windows Trojan. Be safe, do not use Windows on line. Windows is a good operating system as long as you stay off line with it. Load another operating system such as Ubuntu to go on line with. You will not face this trojan.

[Vegaman_Dan]

Or simply not be stupid or gullible enough to respond so such emails that are blatant attempts to steal your information.

I'll go with the second option.

[zyxxy]

Exactly. "Oh yes, let me give permission to this random .exe file that someone has just handed me."
Dumb and dumber.

[Dalkorian]

You missed the dangerous part Gertruded - it's a trojan. The user had to install it. Name one operating system that is proof against the user installing programs. The fact that the user was tricked is how a trojan works, you think you're getting one thing but get something else entirely.

Note that I don't disagree with the idea that the only remotely secure winblows box is the one that is disconnected from any and all networks.

[zyxxy]

Which is exactly why the users (my family, including me) on the home PC do not have admin privilege and do not know the admin password. So when UAC asks for the admin password, they always click 'no'.

Okay, I know the admin password, but I never grant it from my user account.

[Dalkorian]

If you think that poorly implemented UAC fecalware is protecting you in any way, you are severely delusional and should be prevented from operating any computer.

[mailhacker]

@Dalkorian - Just because its annoying doesnt mean it doesnt work. Mac fanboys. lol.

[Garken]

To Dakorian. Why don't you pay your uncle Kevorkian a visit ? It will solve all your mental issues with MS Windows. It will also save you the cost of a Mac too.

[gggg sssss]

why does cnet blur the offending download site. Shame them publicly I say

[suzyq032951]

Bottom line is NEVER give out your personal information on line. Facebook already has it so why would they ask for it again. I would never fall for that line.

[MiamiWebDesigner]

Big Brother Has a Name, and that Name is CLOUDMARK:

tinyurl[dot]com/Cloudmark

[Hanzl]

Windows Xp and Vista are very safe OS's.
Proven.
But they have a different approach regarding user setup.
XP comes with standard adminaccount enabled where Unix clones force you to create a useraccount and assign rights. Windows gave the users to much freedom and that created the problem.
Next Windows is so far more widespread that attacks have more profit to focus on Windows then on other systems.
The user is the dangerzone, not the OS.

[MiamiWebDesigner]

Big Brother Has a Name, and that Name is CLOUDMARK: This 1984-ish content-based "spam signature" filter gives Network Solutions and other web hosts and ISPs complete control over what emails YOU are allowed to send or receive. They can define whatever they choose to be a "spam signature", including the name of a cause they don't support, or the business telephone numbers of people who do. Here is how I know: tinyurl[dot]com/Cloudmark