"Carberp replaces any Facebook page the user navigates to with a fake page notifying the victim that his/her Facebook account is 'temporarily locked,'" says Trusteer CTO Amit Klein in his blog. "The page asks the user for their first name, last name, email, date of birth, password and a Ukash 20 euro [approximately $25 US] voucher number to 'confirm verification' of their identity and unlock the account.
"The page claims the cash voucher will be 'added to the user’s main Facebook account balance,' which is obviously not the case," Klein states. "Instead, the voucher number is transferred to the Carberp bot master, who presumably uses it as a cash equivalent, thus effectively defrauding the user of $25."
The emerging man-in-the-browser (MitB) attack exploits the trust users have in Facebook and the anonymity of Ukash e-cash vouchers, Klein writes. "Unlike attacks against online banking applications that require transferring money to another account -- which creates an auditable trail -- this new Carberp attack allows fraudsters to use or sell the e-cash vouchers immediately, anywhere they are accepted on the Internet."
This type of attack is likely to grow as e-cash becomes more frequently used, Klein warns. "Like card-not-present fraud, where cybercriminals use stolen debit and credit card information to make illegal online purchases without the risk of being caught, e-cash fraud is a low risk form of crime," he says. "With e-cash, however, it is the account holder not the financial institution who assumes the liability for fraudulent transactions."
Carberp, like its predecessors Zeus and Spyeye, infects machines through malicious files -- such as PDFs and Excel documents -- or drive-by downloads, according to a blog about the Carberp Trojan published by security firm Context Information Security. "In most cases, Carberp will persist undetected by antivirus software on the infected machine using advanced stealth, anti-debugging, and rootkit techniques, and is controlled from a central administrator control panel that allows the attacker to mine the stolen data," the Context blog states. "Carberp is also part of a botnet that can take full control over infected hosts, while its complicated infection mechanisms and extensive functionality make it a prime candidate for more targeted attacks." The malware uses multiple layers of obfuscation and encryption to remain hidden from malware analysis tools, the Context blog says. "Once embedded and decrypted, the real infection begins with malicious file dropping and process injection steps that provide a backdoor to the host under attack." Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.