Facebook’s enduring popularity means that cybercriminals find it a tempting lure for their malicious misdeeds. A newly-spotted phishing scam is no exception.
We came across a malware sample, which we detected as TSPY_MINOCDO.A. The goal is to redirect users who visit Facebook to a spoofed page, which claims to be a part of the social networking website’s security check feature, even sporting the tagline “Security checks help keep Facebook trustworthy and free of spam”.
It does this by redirecting all traffic to facebook.com and www.facebook.com to the system itself (using the affected machine’s HOST file). This ensures that the user can never reach the legitimate Facebook pages. At the same time, the malware is monitoring all browser activity and redirects the user to the malicious site.
Users eager to log into Facebook may fall victim to this ruse, taking the ‘security check’ for face value. This may result in them entering their details and thus exposing their credit card accounts to cybercriminal infiltration.
Figure 1. Fake Facebook Security Page
Figure 2. Packets sending Credit Card information to the malicious server
Upon further analysis, we also discovered that the malware performs DNS queries to several domain names. What this means that the people behind this are prepared for server malfunction and has a backup to continue stealing information.
In addition, unlike other social media attacks which use fraudulent links, it is an executable which runs every system startup. This poses a big threat to multiple users using an affected system.
To stay safe and aware of these threats, always keep in mind that social networking websites would never ask for your credit card or online banking account details for verification. Trend Micro protects you from this threat by blocking the domain hosting this fraudulent webpage.