Facebook Campaigns Serve Up Nasty Cocktail

By Matthew Hines  |  Posted 2009-11-04 Print this article Print

Anyone with a busy e-mail in-box has likely noticed the dramatic uptick in Facebook-related phishing campaigns making the rounds over the last several weeks.

Waves of the threats are surging across the Web daily, encouraging users to click on an attachment based on their need to update their Facebook log-in information.

For people like myself who don't use the popular social networking site, it's pretty clear that the campaign is nothing but an attack in waiting, but many of the messages do feature a fairly believable level of polish, using the same logo images and fonts typically employed by the networking site itself.

Having taken a closer look at the widespread attack, researchers with McAfee are warning that the threats actually serve up far more than just a Facebook password phishing scheme, but also a dangerous cocktail of malware infections that will leave many affected endpoints squarely in the hands of electronic assailants.

In a blog post authored by McAfee AVERT Labs researcher Arun Pradeep, the multi-tiered level of sophistication involved in the Facebook campaign is spelled out.

First off, in addition to seeking people's Facebook data, the threat downloads a keylogger malware attack that is aimed at stealing people's credit card, social security, and banking passwords from their machines.

And, almost predictably at this point, the attack also loads a rogue AV scanner application which also disables applications including Windows Notepad and Wordpad until users agree to pay for additional malware cleansing tools.

"Phishing campaigns on social networking sites are not new," Pradeep notes. "[But] scammers are not satisfied only pushing spam to sell 'Canadian' pills. Now they also want to sell fake security products, and they need all of our passwords," the expert said.

In terms of its delivery model, once a user opens the attached zip file claiming to offer the password update info, they are served up a spreadsheet file that, once opened, drops the actual malware cocktail onto their machine.

After the malware takes root, it establishes a connection to the attacker's server through the HTTP port and attempts to download more payloads, including the aforementioned keylogger. The attack then forwards any data that it can gather to a remote server through a backdoor.

In terms of the phony AV angle, the rogue application enters through the same backdoor and then "covertly" installs itself before running and killing many applications that might be open, including Notepad, Calculator, Registry Editor, Task Manager, and others, Pradeep said.

The attack does not go after Internet Explorer because it needs IE to communicate back with its malware server.

So there you have it, if you've been wondering what all those Facebook spam notes were up to, McAfee's taken off the wrapper for us. If you've already fallen for the ruse, it might be time to call in your IT staff, or to merely toss your PC out the window and start over.

Just kidding. Sort of.

Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

del.icio.us | digg.com

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel