Phishers Use Malware in Fake Facebook App
Created: 09 Oct 2013 12:25:44 GMT • Updated: 23 Jan 2014 18:03:53 GMT • Translations available: 日本語
Contributor: Daniel Regalado Arias
Phishers frequently introduce bogus applications to add new flavor
into their phishing baits. Let’s have a look at a new fake app that
phishers are leveraging. In this particular scam, phishers were trying
to steal login credentials, but their means of data theft wasn’t with
the phishing bait alone. Their ploy also used malware for harvesting
users’ confidential information. The phishing site spoofed the login
page of Facebook and was hosted on a free web hosting site.
Figure 1: The phishing site that spoofed the appearance of Facebook’s login page
The phishing site boasted that the application would enable users
to view a list of people who visited their profile page. The site
offered two options to activate the fake app. The first option was by
downloading software containing the malware and the second was by
entering user credentials and logging into Facebook. A message on the
phishing page encouraged users to download the software that would
allegedly send notifications to the user when someone visited their
Facebook profile. If the download button was clicked, a file download
prompt appeared. The file contained malicious content detected by
Symantec as Infostealer. On the other hand, if user credentials were entered, the phishing site redirected to a legitimate Facebook page.
Symantec analyzed the malware and found its behavior to be as follows:
- The malware consists of two executable files that both perform the same action
- The files are added to the registry run key, which execute after every reboot.
- The malware sets up a key logger in order to track anything that the victim types.
- Then, it will check if there is internet connectivity by pinging www.google.com. If there is connectivity, the malware will send all information gathered to the attacker’s email address.
- Symantec observed that the email address has not been valid for 3 months and hence the malware is not able to send updates to the attacker at the moment.
If users fell victim to the phishing site by entering their login
credentials, the phishers would have successfully stolen their
information for identity theft purposes.
Internet users are advised to follow best practices to avoid phishing attacks:
- Check the URL in the address bar when logging into your account and make sure it belongs to the website that you want to go to
- Do not click on suspicious links in email messages
- Do not provide any personal information when answering an email
- Do not enter personal information in a pop-up page or window
- Ensure that the website is encrypted with an SSL certificate by looking for the padlock image/icon, “https” or the green address bar when entering personal or financial information
- Use comprehensive security software, such as Norton Internet Security or Norton 360, which protects you from phishing scams and social networking scams
- Exercise caution when clicking on enticing links sent through email or posted on social networks
Blog Entry Filed Under:
No comments:
Post a Comment