Video Screencast Help

Phishers Use Malware in Fake Facebook App

Created: 09 Oct 2013 12:25:44 GMT • Updated: 23 Jan 2014 18:03:53 GMT • Translations available: 日本語
Avdhoot Patil's picture
+1 1 Vote
Login to vote
Contributor: Daniel Regalado Arias
 
Phishers frequently introduce bogus applications to add new flavor into their phishing baits. Let’s have a look at a new fake app that phishers are leveraging. In this particular scam, phishers were trying to steal login credentials, but their means of data theft wasn’t with the phishing bait alone. Their ploy also used malware for harvesting users’ confidential information. The phishing site spoofed the login page of Facebook and was hosted on a free web hosting site.
 
figure1_0.png
Figure 1: The phishing site that spoofed the appearance of Facebook’s login page
 
The phishing site boasted that the application would enable users to view a list of people who visited their profile page. The site offered two options to activate the fake app. The first option was by downloading software containing the malware and the second was by entering user credentials and logging into Facebook. A message on the phishing page encouraged users to download the software that would allegedly send notifications to the user when someone visited their Facebook profile. If the download button was clicked, a file download prompt appeared. The file contained malicious content detected by Symantec as Infostealer. On the other hand, if user credentials were entered, the phishing site redirected to a legitimate Facebook page.
 
Symantec analyzed the malware and found its behavior to be as follows:
  1. The malware consists of two executable files that both perform the same action
  2. The files are added to the registry run key, which execute after every reboot.
  3. The malware sets up a key logger in order to track anything that the victim types. 
  4. Then, it will check if there is internet connectivity by pinging www.google.com. If there is connectivity, the malware will send all information gathered to the attacker’s email address.
  5. Symantec observed that the email address has not been valid for 3 months and hence the malware is not able to send updates to the attacker at the moment.
If users fell victim to the phishing site by entering their login credentials, the phishers would have successfully stolen their information for identity theft purposes.
 
Internet users are advised to follow best practices to avoid phishing attacks:
  • Check the URL in the address bar when logging into your account and make sure it belongs to the website that you want to go to
  • Do not click on suspicious links in email messages
  • Do not provide any personal information when answering an email
  • Do not enter personal information in a pop-up page or window
  • Ensure that the website is encrypted with an SSL certificate by looking for the padlock image/icon, “https” or the green address bar when entering personal or financial information
  • Use comprehensive security software, such as Norton Internet Security or Norton 360, which protects you from phishing scams and social networking scams
  • Exercise caution when clicking on enticing links sent through email or posted on social networks