A computer worm has begun targeting Facebook accounts and has stolen at least 45,000 login credentials from users, say security researchers.
Although the worm, known as Ramnit, is targeting Facebook users around the world, most of those affected are in the UK (69%) and France(27%), according to researchers at Seculert.
Discovered in April 2010, the Microsoft Malware Protection Center (MMPC) described Ramnit as “a multi-component malware family which infects Windows executable as well as HTML files”, “stealing sensitive information such as stored FTP credentials and browser cookies”.
In August 2011, Trusteer reported that Ramnit was merged with the Zeus Trojan, enabling the worm to bypass two-factor authentication and transaction signing systems, gain remote access to financial institutions, compromise online banking sessions and penetrate several corporate networks.
Seculert researchers have now identified a completely new 'financial' Ramnit variant aimed at stealing Facebook login credentials.
The Ramnit Facebook C&C (command and control) URL is visible and accessible, making it possible for researchers to detect that over 45,000 Facebook login credentials have been stolen worldwide.
“We suspect that the attackers behind Ramnit are using the stolen credentials to log-in to victims' Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware's spread even further,” the researchers said in a blog post.
They also believe cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services such as Corporate SSL VPN to gain remote access to corporate networks.
“With the recent ZeuS Facebook worm and this latest Ramnit variant, it appears that sophisticated hackers are now experimenting with replacing the old-school email worms with more up-to-date social network worms,” the researchers say.
As demonstrated by the 45,000 compromised Facebook subscribers, the viral power of social networks can be manipulated to cause considerable damage to individuals and institutions when it is in the wrong hands, they said.
Seculert has provided Facebook with all of the stolen credentials that were found on the Ramnit servers and Facebook has confirmed that it is investigating.
06 Jan 2012