Recently, IBM Security came across a new configuration of the Carberp Trojan that targets Facebook users to commit financial fraud. Unlike previous Facebook attacks designed to steal user credentials from the login page, this version attempts to steal money by duping the user into divulging an e-cash voucher.

Carberp replaces any Facebook page the user navigates to with a fake page that notifies the victim that his or her Facebook account is temporarily locked. The page asks users for their first name, last name, email, date of birth, password and a Ukash 20-euro (approximately $25) voucher number to confirm verification of their identity and unlock the account.

The page claims the cash voucher will be added to the user’s main Facebook account balance, which is obviously not the case. Instead, the voucher number is transferred to the Carberp botmaster, who presumably uses it as a cash equivalent (Ukash provides anonymity similar to that offered by cash payments), thus effectively defrauding the user of 20 euros, or $25.

This clever man-in-the-browser (MitB) attack exploits the trust users have with Facebook and the anonymity of e-cash vouchers. Unlike attacks against online banking applications, which require transferring money to another account and creates an auditable trail, this new Carberp attack allows fraudsters to immediately use or sell the e-cash vouchers anywhere they are accepted on the Internet.

Attacking social networks such as Facebook provides cyber criminals with a large pool of victims who can be easily tricked into divulging confidential account information and, as illustrated in this case, giving up their cash. With the growing adoption of e-cash on the Internet, we expected to see more of these attacks. Like card-not-present fraud, where cyber criminals use stolen debit and credit card information to make illegal purchases online without the risk of being caught, e-cash fraud is a low-risk form of crime. With e-cash, however, it is the account holder, not the financial institution, who assumes the liability for fraudulent transactions.

To end users, we recommend — as always — to be suspicious of odd or unconventional requests, even when they seem to originate from a trusted website. Also, consider using browser-based security tools such as IBM Security Trusteer Rapport, which secures communication between the computer and target website to block MitB attack methods such as HTML injections and prevents key-logging from grabbing data.

View on-demand webinar: Cybercriminals Never Sleep

More from Software Vulnerabilities

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

10 min read - September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

10 min read