Principal security firms detected a new variant of Facebook Zeus malware that is exploiting the popular social network to target user’s bank accounts.
A Facebook
Zeus malware variant (aka
ZeuS/ZBOT) has been detected by principal security firms confirming the longevity of malicious code and the ability of cybercrime to customize it according to its needs.
Symantec was one of the first companies to detect the Facebook Zeus virus and its capability to drain user’s bank accounts, the malicious code exploits
phishing messages as a method of propagation. A compromised account is used to automatically send messages to its contact with links to ads, usually to video or product.
The new Facebook Zeus instance is able to infect only Windows users, there is no news of variant that targeted Linux or Mac OS X systems.
The Facebook Zeus malware appears very complex, it is able to replace a bank’s Web site page with a fake one used to capture social security number data and other information from the victims. Once again cyber criminals don’t use directly the credentials collected but re-sold them on the black market within a Fraud As A Service (
FaaS) model.
How does Facebook Zeus steal victim’s credentials?
ZBOT connects to a remote site to download its encrypted configuration file containing the following information:
- Site where an updated copy of itself can be downloaded
- List of websites to be monitored
- Site where it will send the stolen data
![](data:image/svg+xml;charset=utf-8,<svg height="100px" width="450px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
“These configuration files contain banks and other financial institutions that ZBOTs monitor in browsers. Since configuration files are downloaded from remote sites, the contents of these files may change any time. Malicious actors can change the list of sites they want to monitor on the affected system.” reported TrendMicro post.
![](data:image/svg+xml;charset=utf-8,<svg height="167px" width="480px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
According to
Trend Micro the pages are being hosted by the Russian criminal gang known as the Russian Business Network. Despite Facebook is aware of the diffusion of the Facebook Zeus malware since now it appears to have not taken
clomourous countermeasures. Eric Feinberg, founder of the advocacy group Fans Against
Kounterfeit Enterprise (FAKE) declared that has tried to warn Facebook on the diffusion of the cyber threat. I contacted Mr Feinberg requesting major info on the event and he told me:
“Best way to describe how we uncover the Zeus Malware is as follows. I observed that the Russian Business Network was created Fake Facebook Profiles that were posted .tk links to websites selling counterfeit Merchandise. The .tk links caught my attention when i did url query of these .tk links url query report listed these as likely hostile and from the Russian Business Network. I turn the links over to a colleague who identified the Zeus Botnet”
The majority of the victims of Facebook Zeus malware is located in the USA and UK, other cases are registered all over the world including India, Russia and South Africa.
The resurrection of Facebook Zeus variant is not surprising, cybercriminal
underground Also never stops to make a profit on old cyber threats and the Prolific business is daily growing in the underground.
Pierluigi Paganini
Pierluigi Paganini Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.
