Trusteer publishes a blog by Amit Klein, CTO and head of Cybercrime Research, that details a new attack the company has discovered which targets Facebook users. Unlike past Facebook attacks that steal login credentials, a new configuration of the Carberp Trojan is targeting e-cash voucher systems. This new twist allows fraudsters to exploit the anonymous nature and instant financial value afforded by e-cash vouchers which are widely accepted on the Internet.
A new configuration of the Carberp Trojan that targets Facebook users to commit financial fraud has been discovered.
Unlike previous Facebook attacks designed to steal user credentials from the log-in page, this version attempts to steal money by duping the user into divulging an e-cash voucher.
Carberp replaces any Facebook page the user navigates to with a fake page notifying the victim that his/her Facebook account is ?temporarily locked?. The page asks the user for their first name, last name, email, date of birth, password and a Ukash 20 euro (approximately $25 US) voucher number to ?confirm verification? of their identity and unlock the account. The page claims the cash voucher will be ?added to the user?s main Facebook account balance?, which is obviously not the case. Instead, the voucher number is transferred to the Carberp bot master who presumably uses it as a cash equivalent (Ukash provides anonymity similar to that offered by cash payments), thus effectively defrauding the user of 20 euro/$25.
This clever man-in-the-browser (MitB) attack exploits the trust users have with the Facebook website and the anonymity of e-cash vouchers. Unlike attacks against online banking applications that require transferring money to another account which creates an auditable trail, this new Carberp attack allows fraudsters to use or sell the e-cash vouchers immediately anywhere they are accepted on the internet.
Attacking social networks like Facebook provides cybercriminals with a large pool of victims that can be fairly easily tricked into divulging confidential account information, and even, as illustrated in this case, giving up their cash. With the growing adoption of e-cash on the internet, we expect to see more of these attacks. Like card not present fraud, where cybercriminals use stolen debit and credit card information to make illegal online purchases without the risk of being caught, e-cash fraud is a low risk form of crime. With e-cash, however, it is the account holder not the financial institution who assumes the liability for fraudulent transactions.
To end users we recommend ? as always ? be suspicious of odd/non-conventional requests even when they seem to originate from a trusted web site. Also consider using browser-based security tools like Trusteer Rapport that secure communication between the computer and target website to block MitB attack methods like HTML injection and prevent keylogging from grabbing data.
Related topics: ?Application and software security? ?Hacking and intrusion prevention? ?Internet and Web security? ?Virus, Worm, Email security, spyware and malware?
Print version | 
Email to a friend | 
Related articles
Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.
Other Security news and resources
IT Security white papers and research library
Access Control? Authentication? Data Management? Data Security? Digital Signatures? Email Security? Identity Management? Internet Security? Intrusion Prevention? Network Security? Remote access security? Security Management? Security Policies? Security Software? Security Threats? Virus Detection Software? Virus Protection? VPN? Vulnerability Assessment? Wireless Security?
Security books, guides, standards and toolkits
RFID and Smart Cards books, guides and reference documents? Biometric books, guides and reference documents? CCTV books, guides and reference documents? Intruder alarms and intrusion detection systems books, guides and reference documents? Monitoring and surveillance books, guides and reference documents? IT Governance, ISO 27001 ISO 17799 and BS 7799 toolkits? Fire, Health & Safety books, guides and reference documents
Source: http://www.securitypark.co.uk/security_article267146.html
ows kindle fire review community matt schaub fire island fire island diaspora social network
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.