{"id":15120,"date":"2015-12-21T18:09:48","date_gmt":"2015-12-21T18:09:48","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=4972"},"modified":"2018-09-18T09:20:11","modified_gmt":"2018-09-18T13:20:11","slug":"facebook-banker-malware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/facebook-banker-malware\/15120\/","title":{"rendered":"The banker Trojan asks to be friends with you"},"content":{"rendered":"<p>On the tracks of (relatively) <a href=\"https:\/\/securelist.com\/analysis\/publications\/72652\/beaches-carnivals-and-cybercrime-a-look-inside-the-brazilian-underground\/\" target=\"_blank\" rel=\"noopener\">recent research on the Brazilian cyberunderground<\/a> comes news of a \u201cre-ignited\u201d banking malware which is using Facebook as a means of distribution. The threat itself is old, but the infection routes are rather novel.<\/p>\n<p><a href=\"https:\/\/threatpost.com\/banking-malware-moving-over-facebook-hosted-in-cloud\/115628\/\" target=\"_blank\" rel=\"noopener nofollow\">According to Threatpost<\/a>, attackers target Brazilian, Portuguese-speaking victims using convincing social engineering to trick users into clicking shortened Bit.ly URLs with the promise of coupons, vouchers or premium software downloads. Brazil\u2019s online federal tax return service is also featured as an attraction point.<\/p>\n<p>The links are distributed via Facebook, and it\u2019s not uncommon the basic cybersecurity intuition fails for the users of this social network.<\/p>\n<p>The shortened URLs lead to a server hosted on Google\u2019s cloud platform (yet another point of interest) where the Spy Banker downloader is installed on the victim\u2019s machine. The downloader then grabs the Spy Banker Trojan Telax, whose aim is to steal online banking credentials.<\/p>\n<p>A number of victims were also compromised by drive-by downloads.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>The banker Trojan asks to be friends with you #socialnetworks, #protectmybiz<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F7kDE&amp;text=The+banker+Trojan+asks+to+be+friends+with+you+%23socialnetworks%2C+%23protectmybiz\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>In the report of Zscaler cybersecurity firm, a specific example had been brought forward wherein the bit.ly link points to a PHP file that\u2019s hosted on a Google Cloud server.<\/p>\n<p>The PHP file then does a 302 redirect to download the first stage of the attack, the downloader. The executable, in this case, poses as a link to Brazil\u2019s online federal tax return service, but others pretend to be anything from free antivirus software, to WalMart or WhatsApp.<\/p>\n<p>Zscaler said this particular bit.ly link had been clicked more than 103,000 times from the time it surfaced on Oct. 20 through Nov. 30\u2014and 102,000 of those links came from Facebook.<\/p>\n<p>By the time of Zscaler\u2019s announcement, Google had already cleaned up its cloud servers where the malicious links were redirecting.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Users of Social Networks tend to put excessive trust into the messages they get there #socialnetworks, #protectmybiz<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F7kDE&amp;text=Users+of+Social+Networks+tend+to+put+excessive+trust+into+the+messages+they+get+there+%23socialnetworks%2C+%23protectmybiz\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Anyway, it\u2019s another sad example of legit resources, such as respected social networks and the cloud services, being used for malicious purposes. It is unknown, so far, how many people fell victim to this particular Spy Banker threat (which actually originates from 2009), but the number of clicks is formidable, and again Facebook becomes a \u201cmediator\u201d of malware. For businesses, malicious links in social networks (given their use is permitted at the workplace) may become a very costly experience \u2013 <a href=\"https:\/\/business.kaspersky.com\/malicious-links-in-social-networks-a-costly-experience\/1145\/\" target=\"_blank\" rel=\"noopener nofollow\">we have covered the possible scenarios back in 2013<\/a>.<\/p>\n<p>As of this particular case, Kaspersky Lab security researcher Fabio Assolini said the use of social engineering, and Facebook in particular, is effective because it plays on the user\u2019s trust of messages coming from the social networking platform.<\/p>\n<p>\u201cActually, Brazilian bad guys are hungry for free hosting and abuse several services to host their files there: Google Docs, Dropbox, Sugarsync and many others \u2013 but using Facebook.com was new,\u201d Assolini said.<\/p>\n<p>Given the relative success of the effort, it is very likely attackers in the other regions may attempt to do something similar in future. So \u2013 let\u2019s repeat that \u201ccommandment\u201d \u2013 there shall be no excessive trust in any incoming messages, unless the receiver is 101% certain the source is legitimate and so is the message itself.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On the tracks of (relatively) recent research on the Brazilian cyberunderground comes news of a \u201cre-ignited\u201d banking malware which is using Facebook as a means of distribution. The threat itself<\/p>\n","protected":false},"author":209,"featured_media":13017,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[20,36,211],"class_list":{"0":"post-15120","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-facebook","10":"tag-malware-2","11":"tag-social-media"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/facebook-banker-malware\/15120\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/facebook-banker-malware\/15120\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/facebook-banker-malware\/15120\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/facebook\/","name":"Facebook"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15120","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=15120"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15120\/revisions"}],"predecessor-version":[{"id":18421,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15120\/revisions\/18421"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/13017"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=15120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=15120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=15120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}