Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

New botnet Trojan virus cripples Facebook users, one more time

Add to     Digg this story Digg this    Get a great Linux dedicated server for less than $4 a day!

Share on Twitter

Jan. 18, 2012

One more time for the past several months, a new variation of Trojan virus is targeting Facebook users again by taking over their computers and asking them for cash.

Over the past three to four years, Facebook has increasingly been the ultimate target of all kinds of nasty viruses and malware with the placement of links on its site that take you to websites infected with all kinds of malware program that will infect a visitor's computer.

Those links are placed by scammers and hackersthat have nothing best to do with their time. And now the social site has recruited Websense to scan its vast social network for links to malicious sites.

The 'Carberp Facebook Virus', like its predecessors 'ZeuS' and 'SpyEye', infects user's computers by tricking them into opening PDF files and Excel documents loaded with tons of malicious code and viruses, or it simply attacks computers in drive-by downloads.

The hidden malware is designed to steal account information, and harvest credentials for email and social-networking sites. Not only that, but a new configuration of the 'Carberp Trojan' also targets Facebook users to ultimately steal eCash vouchers.

Previous malware attacks on Facebook have been designed purely to slurp login info, so this latest skirmish, spotted by transaction security firm Trusteer, can be considered a lot worse. Facebook users need to address this security concern quickly to avoid further issues.

The Carberp variant replaces any Facebook page the user navigates with a fake page notifying the victim that their Facebook account is temporarily locked. Effectively holding Facebook users hostage, the page then asks the mark for their first name, last name, email, date of birth, password and a $25 voucher number to verify their identity and unlock the account.

Trusteer warns that the cash voucher attack is in some ways worse than credit card fraud, because with eCash it is the account-holder, not the financial institution, who assumes the liability for fraudulent transactions.

Trusteer said it does not have any concrete data on how many people might have been hit by this particular attack. But it warns social networking users, particularly those with eCash accounts, to be wary of this particular scam and any potential follow-up frauds along the same lines, which might easily trap the unwary Facebook user.

Amit Klein, CTO at Trusteer says "This Facebook fraud technique is quite effective. Keep in mind that the user gets an authentic-looking message in the context of a genuine, deliberate log-in page to Facebook. We do know that this is exactly where users are most susceptible to divulging personal information and following additional instructions, as their trust in the content is maximal."

The use of anti-debugging and rootkit techniques make the Carberp Facebook Trojan difficult to detect, warns security consultancy Context Information Security. Context said "Carberp is also part of a botnet that can take full control over many infected hosts, while its complicated infection mechanisms and extensive functionality make it a prime candidate for more targeted attacks."

Context also adds that Carberp, which creates a backdoor on infected computers, can be easily controlled from a central administrator control panel, allowing botnet herders to more easily mine stolen data and ask for more cash from Facebook users.

Trusteer said it had reported the attack to Facebook, and shared malware samples prior to going live with its blog, a day after Facebook boasted it had been free of the Koobface worm for more than nine months.

"I don't think that this incident contradicts their "virus free" statement, since Carberp only infects the victim PCs without any modification of the victim's profile in Facebook or any other alteration of the Facebook site," Trusteer's CTO said.

Trusteer also published a blog post on Wednesday featuring screenshots of more details of the Carberp eCash scam in action in a blog post.

Over the past three to four years, Facebook has increasingly been the ultimate target of all kinds of nasty viruses and malware with the placement of links on its site that take you to websites infected with all kinds of malware program that will infect a visitor's computer.

Those links are placed by scammers and hackersthat have nothing best to do with their time. And now the social site has recruited Websense to scan its vast social network for links to malicious sites.

Scammers are using Facebook as a means to drive traffic towards malware and exploit portals or internet scam sites. In response, Facebook has contracted with Websense for security technology that will soon analyse what's going on.

Cloud technology will assign a security classification to sites, presenting users with a warning if the location is considered dangerous.

A warning page will explain why a site might be considered malicious. Users can still proceed, but at their own risks. The approach is similar to Google Safe Browsing warning technology, which is integrated into Firefox and Chrome.

Previously, individual users had the option to add additional security filtering apps, such as Bitdefender Safego, to their profiles as a means to scan for potential spam and/or malicious links.

In other internet security news

Online shoe and clothing retailer is asking its 24 million customers to reset their passwords after a series of cyberattacks. "We were recently the victim of a cyber attack by a criminal organization who gained access to our internal network and accounting system through some of our servers," said a posting on the company's website, which was also sent out as a prioritized email message from company CEO Tony Hsieh to Zappos customers yesterday.

Hsieh said that the company has reset customers' passwords and would be sending an email with further instructions to all its users. It also posted password reset instructions on its website.

Zappos added that the cyber attackers gained access to customers' names, email addresses, billing and shipping addresses, phone numbers and the last four digits of credit card numbers and their encrypted passwords.

However, full credit card numbers and other payment information were stored on a separate server which was not hacked, the company said.

Because it expects an avalanche of email response messages and phone calls from concerned users related to the hacking attempt, Zappos said it was temporarily turning off its phones and would answer all inquiries by email only.

"If just 5 percent of our total customer base calls us, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place," the company's email to employees said.

"We've spent almost thirteen years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single hacking incident," Hsieh's email said.

The email message also went out to customers of Zappos discount website, While large, the hacking attack wasn't the largest of the past year. In April, Sony's PlayStation Network, with 70 million customers, was hacked, with an unauthorized person obtaining users' names, home addresses, email addresses, birth dates and passwords, according to Sony.

In other internet security news

According to researchers at security tools firm AlienVault, a new variant of the Sykipot Trojan has been used to hack into and disable the U.S. Department of Defense-sanctioned smart cards used to authorise network and building access at many U.S. government agencies.

Overall, smart cards are a standard means of granting active duty military staff, selected reserve personnel, civilian employees and a few eligible contractors access to intranets at the U.S. Army, Navy and Air Force facilities.

They can also be used to get into buildings or, when used in conjunction with a static password, to access specific networks. Chinese hackers have adapted the Sykipot Trojan to lift card credentials from compromised systems in order to illegally access classified military networks.

An adapted version of the Trojan virus targets personal computers attached to smart card readers running ActivClient, the client application of ActivIdentity, in what's been described as a smart card proxy attack.

The Sykipot Trojan was created in November 2008 and featured in a number of industrial espionage-style attacks. Researchers at AlienVault captured an adapted version of the malware, specifically designed to circumvent authentication technology supplied by ActivIdentity, in a 'honeypot' about two weeks ago.

Subsequent analysis suggests that hackers added a smart card module to existing malware around March 2011. AlienVault says that the new strain of Sykipot Trojan was developed by the same Chinese authors that created earlier versions of the malware, first seen around three years ago. Previous builds of the Trojan were promoted by spammed messages that posed as information about the next-generation of U.S. Air Force drones.

But in reality, the message pointed at drive-by-download sites that featured the Sykipot Trojan as a payload and took advantage of various IE and Adobe Reader security flaws.

The malware featured in targeted attacks against aerospace technology firms that were ultimately designed to extract commercially sensitive information from compromised systems.

The latest run of attacks also features spear phishing emails that attempt to trick marks into clicking on a link that deposits the Sykipot malware onto their machines. This time around, the malware uses a key-logger to steal PINs associated with smart cards.

Once attackers have authentication codes and associated PINs, they gain the same level of trusted access to sensitive networks as the user whose credentials they have stolen.

The cyber-criminals behind the attack are using another version of the Sykipot virus first discovered in March 2011 that has featured in dozens of attacks since, according to AlienVault.

Jaime Blasco, AlienVault’s lab manager, says that Chinese messages in embedded code made exclusive use of the software in China and provide evidence that Chinese hackers are ultimately behind the attack. Blasco added that the use of dynamic tokens that offer two-factor authentication would thwart this particular line of attack.

AlienVault supplies security event logging technology and does not compete with ActivIdentity, however. Blasco said that it had not supplied either ActivIdentity nor the U.S. DoD with malware samples or notification of its research, which was first made public with an article in the New York Times on January 12.

ActivIdentity's smart cards are standard issue at the DoD and a number of other U.S. government agencies. Other users include Monsanto, BNP Paribas and Air France.

In response to AlienVault's newest research, ActivIdentity said in a statement "We are aware of the recent reports that purportedly identified a new attack method that could hijack smart card-based certificates."

It then went on to say "We take these reports very seriously and are working diligently to investigate the potential threat. At this time, we are confident that the purported threat poses no immediate risk to our customers."

In other internet security news

The control of U.S. military spy drones has shifted from Windows to Linux following an embarrassing malware and virus infection on the Windows system.

Ground control systems at Creech Air Force Base in Nevada, which commands the killer unmanned drone aircraft, became largely infected with a nasty virus last September. In a statement at the time, the Air Force dismissed the virus as a mild nuisance and said it posed no threat to the operation of Reaper drones.

However, the intrusion was nonetheless treated seriously. "The ground system is separate from the flight control system Air Force pilots use daily to fly the aircraft remotely. The ability of the pilots to safely fly these unmanned aircraft remained secure throughout the incident," it said.

The initial discovery of the virus was nonetheless hugely embarrassing for the Air Force, and had some top lieutenants at the Pentagone asking some very pointed questions.

The credential-stealing malware made its way from a portable hard drive onto ground systems, which control the drones' various weapons and surveillance functions. Portable disks are then used to load map updates and transfer mission-critical videos from one computer to another, Defense News added.

"The malware was detected on a standalone mission support network using a Windows-based operating system," a U.S. Air Force statement at the time explained.

"The malware in question is a credential stealer, not a keylogger, found routinely on computer networks and is considered more of a nuisance than an operational threat. It is not designed to transmit data or video, nor is it designed to corrupt data, files or programs on the infected computer. Our tools and processes detect this type of malware as soon as it appears on the system, preventing further reach."

Unmannded drone aircraft units were advised to stop using the removable drives to prevent another outbreak. Behind the scenes, other changes also appear to have been made-- screenshots of drone control computers uploaded by security researcher Mikko Hypponen suggest that at least some of the consoles have been migrated from Microsoft Windows to the Linux operating system.

Hypponen says "If I would need to select between Windows XP and a Linux based system while building a military system, I wouldn't doubt a second which one I would take-- Linux."

Add to     Digg this story Digg this    Get a great Linux dedicated server for less than $4 a day!

Share on Twitter

Source: Trusteer Internet Security.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Click here to order your new fully dedicated Plesk server with the Linux operating system.

Get your Linux or Windows dedicated server today.

Click here to order your new fully dedicated Plesk server with the Linux operating system.