Three new scams play on a variation of users losing Facebook access, whether it's because Mark Zuckerberg is shutting down the site or because the account has been suspended, said security researchers.
Security researchers have
identified several new malware strains claiming to take away users' access to
Facebook over the past few days.
Users receive messages,
either via instant message, e-mail or on Facebook, claiming that their accounts
will be shut down. However, the scams promise to restore access if the users
follow instructions, the researchers said.
"Once again cyber-criminals
are using social engineering to trick victims and infect them with
malware," said Luis Corrons, technical director of PandaLabs.
PandaLabs reported on Feb. 1
a worm that hijacks Facebook accounts and prevents users from logging in unless
they subscribe to a paid service. The Lolbot.Q worm is distributed across
instant messaging applications such as AOL Instant Messenger, MSN and Yahoo
Messenger, according to Panda Security.
When a user clicks on the
malicious link in the message, the site downloads a worm, designed to hijack
, to the computer, the researchers said. Once downloaded,
users are blocked from logging in because their accounts are "suspended" and they
need to complete a questionnaire before the accounts can be "reactivated," the
company said. In addition to reactivating the account, users are promised
various prizes such as free laptops and iPads for answering the questions.
After several questions,
users are directed to a different campaign that requires them to subscribe with
their cell phone numbers. Once subscribed, the users are charged a fee of
$11.60 per week on their cell phone and get a new password that reinstates
access to their account, PandaLabs said.
There have also been a
number of scams recently purporting that Facebook CEO Mark Zuckerberg has
decided to shut
down the social-networking site
unless users take action.
A new one made the rounds on
Feb. 1, according to Graham Cluley, a senior technology consultant at Sophos.
Users saw Wall posts encouraging them to click on a link to "verify" their
accounts to remain active, he said.
Clicking on the link took
users to a normal Facebook application permissions dialog, but once installed,
the rogue application would repost the message to the user's Wall in order to
spread the link virally, Cluley wrote. Along with an "account-verification
process" screen, users are asked to fill out surveys that may spawn even more
Wall spam, he said.
Another scam spams users
with e-mail messages from "FaceBook Service" claiming their Facebook accounts
had been hijacked to send spam, according to PandaLabs. Claiming their login
credentials had been changed "for safety," users are encouraged to open the attachment
to get the new password
, the security researchers warned. While PandaLabs
researchers said the attachment was a .EXE file masquerading as a fake Word
document, Sophos senior technology consultant Graham Cluley reported a
variation that came with a .ZIP file, instead.
Regardless of the file name,
once opened, it downloads other pieces of malware, which opens all available
ports on the computer and connects to the multiple mail service to spam more
users, the researchers said. PandaLabs named the Trojan Asprox.N while Sophos
detected it as Agent-QAY.
Despite the awkward language
used in the e-mail, the scam can succeed because there are "many Facebook addicts"
who would "panic" and "rashly click on the attachment without thinking," Cluley