Recently, IBM Security came across a new configuration of the Carberp Trojan that targets Facebook users to commit financial fraud. Unlike previous Facebook attacks designed to steal user credentials from the login page, this version attempts to steal money by duping the user into divulging an e-cash voucher.
Carberp replaces any Facebook page the user navigates to with a fake page that notifies the victim that his or her Facebook account is temporarily locked. The page asks users for their first name, last name, email, date of birth, password and a Ukash 20-euro (approximately $25) voucher number to confirm verification of their identity and unlock the account.
The page claims the cash voucher will be added to the user’s main Facebook account balance, which is obviously not the case. Instead, the voucher number is transferred to the Carberp botmaster, who presumably uses it as a cash equivalent (Ukash provides anonymity similar to that offered by cash payments), thus effectively defrauding the user of 20 euros, or $25.
This clever man-in-the-browser (MitB) attack exploits the trust users have with Facebook and the anonymity of e-cash vouchers. Unlike attacks against online banking applications, which require transferring money to another account and creates an auditable trail, this new Carberp attack allows fraudsters to immediately use or sell the e-cash vouchers anywhere they are accepted on the Internet.
Attacking social networks such as Facebook provides cyber criminals with a large pool of victims who can be easily tricked into divulging confidential account information and, as illustrated in this case, giving up their cash. With the growing adoption of e-cash on the Internet, we expected to see more of these attacks. Like card-not-present fraud, where cyber criminals use stolen debit and credit card information to make illegal purchases online without the risk of being caught, e-cash fraud is a low-risk form of crime. With e-cash, however, it is the account holder, not the financial institution, who assumes the liability for fraudulent transactions.
To end users, we recommend — as always — to be suspicious of odd or unconventional requests, even when they seem to originate from a trusted website. Also, consider using browser-based security tools such as IBM Security Trusteer Rapport, which secures communication between the computer and target website to block MitB attack methods such as HTML injections and prevents key-logging from grabbing data.