About Me

Arun Pradeep

Arun Pradeep
Research Scientist

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Facebook Phishing Campaign Pushes 'Cocktail' Attack

Tuesday, November 3, 2009 at 4:05pm by Arun Pradeep
Arun Pradeep

We have already discussed the Facebook phishing campaign. Now the scammers are using the phishing campaign not just for spamming but also for a “cocktail” attack.

  • The scammers have targeted Facebook, telling them that the Facebook account passwords have been changed.
  • The malware downloads a keylogger to collect credit card numbers, social security number, and other passwords from the victims’ machines.
  • The malware pushes a fake security product, which disables many applications, such as Notepad, Wordpad, etc., until the bad guys are paid.

This phishing campaign attempts to convince users that the email comes from Facebook by forging the From: address.

Phishing mail

The mail claims the password has been changed and that it is available in the attached zip file. Once the victims unzip it, they see a file with a spreadsheet icon. When the victim tries to open the file to look for a password, it drops the payload and deletes itself. Once the malware is installed, it establishes a connection to the attacker’s server through the HTTP port and attempts to download more payloads onto the infected machine.

The malware also downloads a keylogger and runs it covertly. The second attack hunts for any keystroke so that it can collect information such as the login ID password, credit card and socialsSecurity numbers, etc. The malware sends the data to a remote server through a backdoor it creates. But this is not yet the end of the game.

While this data theft occurs, the malware also tries to download a fake security product. The rogue application that enters through the backdoor will be covertly installed on the victim’s machine. Once installed, the fake product runs a service that kills almost all open applications: Notepad, Calculator, Registry Editor, Task Manager, and others. (It does not kill Internet Explorer because it needs IE to to communicate with the malware server.) After killing these apps, the malware shows a fake alert–claiming the application you’re trying to open is being used to connect to a malware server. (See image below.)

Fake Alert

Fake Security Product

Phishing campaigns on social networking sites are not new. Scammers are not satisfied only pushing spam to sell “Canadian” pills. Now they also want to sell fake security products, and they need all of our passwords. With McAfee coverage, you’ll be protected against this cocktail attack.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (0)