Recently, IBM Security came across a new configuration of the Carberp Trojan that targets Facebook users to commit financial fraud. Unlike previous Facebook attacks designed to steal user credentials from the login page, this version attempts to steal money by duping the user into divulging an e-cash voucher.

Carberp replaces any Facebook page the user navigates to with a fake page that notifies the victim that his or her Facebook account is temporarily locked. The page asks users for their first name, last name, email, date of birth, password and a Ukash 20-euro (approximately $25) voucher number to confirm verification of their identity and unlock the account.

The page claims the cash voucher will be added to the user’s main Facebook account balance, which is obviously not the case. Instead, the voucher number is transferred to the Carberp botmaster, who presumably uses it as a cash equivalent (Ukash provides anonymity similar to that offered by cash payments), thus effectively defrauding the user of 20 euros, or $25.

This clever man-in-the-browser (MitB) attack exploits the trust users have with Facebook and the anonymity of e-cash vouchers. Unlike attacks against online banking applications, which require transferring money to another account and creates an auditable trail, this new Carberp attack allows fraudsters to immediately use or sell the e-cash vouchers anywhere they are accepted on the Internet.

Attacking social networks such as Facebook provides cyber criminals with a large pool of victims who can be easily tricked into divulging confidential account information and, as illustrated in this case, giving up their cash. With the growing adoption of e-cash on the Internet, we expected to see more of these attacks. Like card-not-present fraud, where cyber criminals use stolen debit and credit card information to make illegal purchases online without the risk of being caught, e-cash fraud is a low-risk form of crime. With e-cash, however, it is the account holder, not the financial institution, who assumes the liability for fraudulent transactions.

To end users, we recommend — as always — to be suspicious of odd or unconventional requests, even when they seem to originate from a trusted website. Also, consider using browser-based security tools such as IBM Security Trusteer Rapport, which secures communication between the computer and target website to block MitB attack methods such as HTML injections and prevents key-logging from grabbing data.

View on-demand webinar: Cybercriminals Never Sleep

More from Software Vulnerabilities

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today