Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Facebook’s enduring popularity means that cybercriminals find it a tempting lure for their malicious misdeeds. A newly-spotted phishing scam is no exception.

    We came across a malware sample, which we detected as TSPY_MINOCDO.A. The goal is to redirect users who visit Facebook to a spoofed page, which claims to be a part of the social networking website’s security check feature, even sporting the tagline “Security checks help keep Facebook trustworthy and free of spam”.

    It does this by redirecting all traffic to and to the system itself (using the affected machine’s HOST file). This ensures that the user can never reach the legitimate Facebook pages. At the same time, the malware is monitoring all browser activity and redirects the user to the malicious site.

    Users eager to log into Facebook may fall victim to this ruse, taking  the ‘security check’ for face value. This may result in them entering their details and thus exposing their credit card accounts to cybercriminal infiltration.

    Figure 1. Fake Facebook Security Page

    Figure 2. Packets sending Credit Card information to the malicious server

    Upon further analysis, we also discovered that the malware performs DNS queries to several domain names. What this means that the people behind this are prepared for server malfunction and has a backup to continue stealing information.

    In addition, unlike other social media attacks which use fraudulent links, it is an executable which runs every system startup. This poses a big threat to multiple users using an affected system.

    To stay safe and aware of these threats, always keep in mind that social networking websites would never ask for your credit card or online banking account details for verification. Trend Micro protects you from this threat by blocking the domain hosting this fraudulent webpage.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Ali Gültekin

      Has been a useful post, thank you very much indeed.

    • Anthony Joe Melgarejo

      @8048a5a203d232a667c6c55cec8dced0:disqus Thank you for giving us your feedback. If you find suspicious files or email messages in your system, feel free to contact our Technical Support Team. Also, you can always send us logs from our product (ATTK logs) to let us check if there are malicious behavior in your system.

    • inez

      thank you for this information. I believe that I was an intended victim of these cyber criminals aka butt heads when i was on face book. I have alot of hard copies of fake certificates and whatnot from different websites that were “pretending to be an legit website. I just dont know what to do with the hard copies, someone stole my facebook page for the second time last year,now i refuse to go to facebook, but i still think there is this “fake website certificate” still being used today. and I want to help stop these hackers and report it to the proper authorities. I think that they still lurk inside my computer and I want them arrested.!! I just am thankful for Trend Micro s Outstanding Security Software.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice