05/21/2012

Most pieces of Facebook malware are mere annoyances — survey scams that generate pennies at a time for the operators, or "like"-jacks that promote dubious products.

However, two new bugs may be harbingers of more serious malware to come.

The more immediately dangerous of the two uses a classic phishing email to direct users to rigged Facebook pages that harbor the SpyEye banking Trojan, a long-lived and very effective information stealer that infects Web browsers to hijack online banking sessions.

The other is a sophisticated clickjacker called LilyJade, which is spreading through Facebook as a worm and substitutes its own online ads in the place of legitimate ads on Facebook, Yahoo, YouTube, Google and other popular sites in order to generate cash for small-time cybercrooks.

The Flashback malware that infected 600,000 Macs in March made money through clickjacking, and a different piece of malware discovered last week that places ads on Wikipedia pages seems to operate the same way.

Working hard for your money

The SpyEye phishing email, forwarded to “Sophos' Naked Security” blog by a reader, pretends to be an official notification from Facebook telling the recipient that "we have received an account cancellation request from you." The email then asks the recipient to "follow the link below to confirm or cancel this request."

The link does go to a Facebook.com page, but not an official one. Instead, the visitor is asked to install an unknown Java-based application, and not given an option to decline.

Once the applet is installed, the user is then asked to "update" the Adobe Flash Player — which, in this case, is really a variant of the SpyEye banking Trojan.

Good anti-virus software will block the installation of SpyEye, as will common sense that tells users not to allow installation of unwanted applications.

Source: SecurityNewsDaily