Security researchers have identified several new malware strains claiming to take away users’ access to Facebook over the past few days.
Users receive messages, either via instant message, e-mail or on Facebook, claiming that their accounts will be shut down. However, the scams promise to restore access if the users follow instructions, the researchers said.
“Once again cyber-criminals are using social engineering to trick victims and infect them with malware,” said Luis Corrons, technical director of PandaLabs.
PandaLabs reported on Feb. 1 a worm that hijacks Facebook accounts and prevents users from logging in unless they subscribe to a paid service. The Lolbot.Q worm is distributed across instant messaging applications such as AOL Instant Messenger, MSN and Yahoo Messenger, according to Panda Security.
When a user clicks on the malicious link in the message, the site downloads a worm, designed to hijack Facebook accounts, to the computer, the researchers said. Once downloaded, users are blocked from logging in because their accounts are “suspended” and they need to complete a questionnaire before the accounts can be “reactivated,” the company said. In addition to reactivating the account, users are promised various prizes such as free laptops and iPads for answering the questions.
After several questions, users are directed to a different campaign that requires them to subscribe with their cell phone numbers. Once subscribed, the users are charged a fee of $11.60 per week on their cell phone and get a new password that reinstates access to their account, PandaLabs said.
There have also been a number of scams recently purporting that Facebook CEO Mark Zuckerberg has decided to shut down the social-networking site unless users take action.
A new one made the rounds on Feb. 1, according to Graham Cluley, a senior technology consultant at Sophos. Users saw Wall posts encouraging them to click on a link to “verify” their accounts to remain active, he said.
Clicking on the link took users to a normal Facebook application permissions dialog, but once installed, the rogue application would repost the message to the user’s Wall in order to spread the link virally, Cluley wrote. Along with an “account-verification process” screen, users are asked to fill out surveys that may spawn even more Wall spam, he said.
Another scam spams users with e-mail messages from “FaceBook Service” claiming their Facebook accounts had been hijacked to send spam, according to PandaLabs. Claiming their login credentials had been changed “for safety,” users are encouraged to open the attachment to get the new password, the security researchers warned. While PandaLabs researchers said the attachment was a .EXE file masquerading as a fake Word document, Sophos senior technology consultant Graham Cluley reported a variation that came with a .ZIP file, instead.
Regardless of the file name, once opened, it downloads other pieces of malware, which opens all available ports on the computer and connects to the multiple mail service to spam more users, the researchers said. PandaLabs named the Trojan Asprox.N while Sophos detected it as Agent-QAY.
Despite the awkward language used in the e-mail, the scam can succeed because there are “many Facebook addicts” who would “panic” and “rashly click on the attachment without thinking,” Cluley said.