Two Symantec researchers have spotted a bogus Facebook page duping victims into downloading data stealing malware.
Researchers Avdhoot Patil and Daniel Regalado Arias reported uncovering the scam in a blog post, warning the criminals are using the site to mount a two-pronged attack against their victims.
"The phishing site boasted that the application would enable users to view a list of people who visited their profile page. The site offered two options to activate the fake app. The first option was by downloading software containing the malware and the second was by entering user credentials and logging into Facebook," read the post.
"A message on the phishing page encouraged users to download the software that would allegedly send notifications to the user when someone visited their Facebook profile. If the download button was clicked, a file download prompt appeared. The file contained malicious content detected by Symantec as Infostealer. On the other hand, if user credentials were entered, the phishing site redirected to a legitimate Facebook page."
The researchers noted the use of the malware as particularly troubling as it has the potential to grant the criminals several espionage and data theft powers.
"Symantec analyzed the malware and found its behavior to be as follows: The malware consists of two executable files that both perform the same action. The files are added to the registry run key, which execute after every reboot. The malware sets up a keylogger in order to track anything that the victim types," read the post.
"Then, it will check if there is internet connectivity by pinging www.google.com. If there is connectivity, the malware will send all information gathered to the attacker’s email address. Symantec observed that the email address has not been valid for three months and hence the malware is not able to send updates to the attacker at the moment."
