The banker Trojan asks to be friends with you

On the tracks of (relatively) recent research on the Brazilian cyberunderground comes news of a “re-ignited” banking malware which is using Facebook as a means of distribution. The threat itself

Preliminary results of the internal investigation into alleged incidents reported by US media

On the tracks of (relatively) recent research on the Brazilian cyberunderground comes news of a “re-ignited” banking malware which is using Facebook as a means of distribution. The threat itself is old, but the infection routes are rather novel.

According to Threatpost, attackers target Brazilian, Portuguese-speaking victims using convincing social engineering to trick users into clicking shortened Bit.ly URLs with the promise of coupons, vouchers or premium software downloads. Brazil’s online federal tax return service is also featured as an attraction point.

The links are distributed via Facebook, and it’s not uncommon the basic cybersecurity intuition fails for the users of this social network.

The shortened URLs lead to a server hosted on Google’s cloud platform (yet another point of interest) where the Spy Banker downloader is installed on the victim’s machine. The downloader then grabs the Spy Banker Trojan Telax, whose aim is to steal online banking credentials.

A number of victims were also compromised by drive-by downloads.

In the report of Zscaler cybersecurity firm, a specific example had been brought forward wherein the bit.ly link points to a PHP file that’s hosted on a Google Cloud server.

The PHP file then does a 302 redirect to download the first stage of the attack, the downloader. The executable, in this case, poses as a link to Brazil’s online federal tax return service, but others pretend to be anything from free antivirus software, to WalMart or WhatsApp.

Zscaler said this particular bit.ly link had been clicked more than 103,000 times from the time it surfaced on Oct. 20 through Nov. 30—and 102,000 of those links came from Facebook.

By the time of Zscaler’s announcement, Google had already cleaned up its cloud servers where the malicious links were redirecting.

Anyway, it’s another sad example of legit resources, such as respected social networks and the cloud services, being used for malicious purposes. It is unknown, so far, how many people fell victim to this particular Spy Banker threat (which actually originates from 2009), but the number of clicks is formidable, and again Facebook becomes a “mediator” of malware. For businesses, malicious links in social networks (given their use is permitted at the workplace) may become a very costly experience – we have covered the possible scenarios back in 2013.

As of this particular case, Kaspersky Lab security researcher Fabio Assolini said the use of social engineering, and Facebook in particular, is effective because it plays on the user’s trust of messages coming from the social networking platform.

“Actually, Brazilian bad guys are hungry for free hosting and abuse several services to host their files there: Google Docs, Dropbox, Sugarsync and many others – but using Facebook.com was new,” Assolini said.

Given the relative success of the effort, it is very likely attackers in the other regions may attempt to do something similar in future. So – let’s repeat that “commandment” – there shall be no excessive trust in any incoming messages, unless the receiver is 101% certain the source is legitimate and so is the message itself.

Tips