Carberp malware targets Facebook users

A malware outbreak is attempting to extort money from users by telling them their Facebook accounts are in danger.

Researchers from security firm Trusteer reported that the Carberp malware was being used to trigger a mass extortion campaign. The malware replaces the landing page for Facebook on locally installed systems with a fake alert page.

Known as a 'man-in-the-browser' infection, Carberp works at the local machine level, intercepting HTML files and replacing them with locally generated attack pages before the site can be displayed in the browser window.

The page claims that a user's Facebook account has been locked and that the only method for retrieval is to enter personal information along with the number for a €20 Ukash online currency voucher.

Malware and botnet operations have been targeting Facebook in recent years. With hundreds of millions of users on the service, fraudsters have been able to play on the heightened level of trust users have for messages and alerts claiming to be from friends and administrators.

Trusteer chief technology officer Amit Klein, noted that Carberp is unique in the way it utilises Facebook. Rather than attempt to harvest account details and spam message feeds, the malware uses Facebook's good name to fool users into sending money.

"The page claims the cash voucher will be 'added to the user’s main Facebook account balance', which is obviously not the case," Klein said in a blog post.

"Instead, the voucher number is transferred to the Carberp bot master who presumably uses it as a cash equivalent (Ukash provides anonymity similar to that offered by cash payments), thus effectively defrauding the user of €20."

In addition to the use of anti-malware and browser security tools, Klein advises users to keep a close eye on any unusual requests for information or cash transfers, even from otherwise trusted web sites.