Facebook Phishing Scam Warning

Facebook is one of the most popular social networking sites on the Internet. As the popularity of sites like this increases, the problems related to security also increases.

TrendLabs Malware Blog are reporting about a Facebook phishing attack. The phishing attacks begins by mass mailing potential Facebook users, claiming to be coming from Facebook. It instructs unsuspecting users to click on a URL provided in the email message to update their Facebook login credentials. When the user clicks on the URL, it points them to a website that looks exactly the same as the Facebook website where they are required to input their password only as their email address has been automatically filled up.

After you click on the Login button, another page will open that has a link to an update tool (updatetool.exe) which installs a trojan, identified by Trend Micro as TROJ_ZBOT.CDX on the user’s system.

It drops a copy of itself in the Windows system folder and appends garbage code to the dropped copy to avoid easy detection. It creates a folder with attributes set to System and Hidden to prevent users from discovering and removing its components. It then creates non-malicious files. It modifies a registry entry to enable its automatic execution at system startup. It also injects itself into processes as part of its memory residency routine.

It attempts to access a Web site to download a file which has information where the Trojan can download an updated copy of itself, and where to send its stolen data. This configuration file also has a list of targeted bank-related Web sites from which it steals information. Note that the contents of the file, hence the list of Web sites to watch, may change any time.

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user’s account information, which may then lead to the unauthorized use of the stolen data.

It saves the stolen information in a file. It sends the gathered information via HTTP POST to a remote URL.

It accesses a remote site to download its configuration file. The downloaded file has information where it can download an updated copy of itself, and where to send its stolen data.

The TrendLabs Malware blog post has security tips on how to distinguish legit emails from phishing emails. But the most important lesson is to always verify the sender of the email and to stop clicking on links in emails.

You may also like...