Our researchers have discovered a new configuration of the Ice IX malware. It attacks Facebook users after they have logged in to their account and steals credit card and other personal information. We even discovered a “marketing” video used by the creators of the malware to demonstrate how the Web injection works.

How Ice IX Malware Works

The global reach and scale of the Facebook service makes it a favorite target of fraudsters. Recently, we wrote about criminals stealing e-cash vouchers from Facebook users and selling bulk Facebook log-in credentials. This latest attack uses a web injection to present a fake web page in the victim’s browser. The form requests that the user provide their name, credit or debit card number, expiration date, card ID and billing address. The attackers claim the information is needed to verify the victim’s identity and provide additional security for their Facebook account.

For anyone who believes the cyber crime economy lacks the sophistication of the legitimate economy, the following marketing video provides conclusive evidence that it does not. We discovered this video circulating in underground forums. It demonstrates in step-by-step fashion how to perform a Web inject cycle to attack Facebook users.

The video begins at the Facebook log on page with the criminal logging in to a Facebook account.

Next, the video demonstrates the pop-up created by the Web inject. This pop-up presents virtually the same message used in the Ice IX configuration our researchers discovered and analyzed. The only difference is the version in the video requests a social security number and date of birth in addition to the information mentioned earlier. In the video, the criminal fills out the fields.

Finally, the video shows the Ice IX malware delivering the information entered in the pop-up to the fraudster’s messenger application.

What It Means for Users

This video illustrates the seamless sophistication of pre-built Web injects that are readily available for purchase on the Internet. It also demonstrates how accomplished cyber criminals are at marketing their malware products. Most of all, this attack highlights how fraudsters are branching out from their bread-and-butter online banking schemes into lateral applications with much larger user populations.

By attacking Facebook and other ubiquitous social networks, fraudsters can tap a massive pool of victims. They can also use the information harvested from social network users to perpetuate fraud on multiple fronts, including online banking or retail, and even to penetrate enterprise and government networks.

Facebook’s Response

We contacted Facebook to advise them that they would be mentioned in this blog. Facebook requested that we pass on some information about their site’s security measures. Here’s a summary of their response:

  1. Facebook actively detects known malware on users’ devices to provide Facebook users with a self-remediation procedure, including the Scan-and-Repair malware scan. To self-enroll in this check point, please visit on.fb.me/AVCheckpoint.
  2. Report to Facebook any spam found on the Facebook site, and remember Facebook will never ask for your credit card, social security or any other sensitive information other than your username and password while logging in.

View on-demand webinar: Cybercriminals Never Sleep

More from Fraud Protection

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

What to do about the rise of financial fraud

6 min read - As our lives become increasingly digital, threat actors gain even more avenues of attack. With the average person spending about 400 minutes online, many scammers enjoy a heyday. Old impersonation scams continue to deceive people every day, as con artists and hackers are armed with advanced technologies and sophisticated social engineering tactics. According to the Federal Trade Commission, financial fraud increased by over 30% from 2021 to 2022, with total losses surpassing $8.8 billion. This ever-evolving threat will continue to…