Facebook Malware Refocusing on Bank of America

Sean-Paul Correll — Sat, 14 Mar 2009 00:32:00 GMT

The perpetrators behind the recent Classmates and Facebook Malware incident are now refocusing their attack on Bank of America customers. The new website is designed to look like a Bank of America Help page and reads:
“You have not been permitted to access the Bank of America Direct® login page because your browser did not provide a valid digital certificate. In order to access Bank of America Direct, you must have a valid Digital Certificate installed on your PC. For help, please select from the help links below.”

The page includes a fake video which is labeled as an “Installation Demo” but points to a Malicious Executable named Adobeflashplayer.exe, which we detect as Trj/Spyforms.BZ.

Trj/Spyforms.BZ is primarily distributed through links in spam e-mails and the Trojan is designed to monitor network traffic and steal ftp, icq, pop3, and imap passwords. The stolen data is then sent back to a server located in Hong Kong.

Malware Impersonates Classmates and Facebook Websites to Deliver Password Stealing Trojan

Sean-Paul Correll — Thu, 12 Mar 2009 08:38:00 GMT

Websites designed to look like Classmates.com and Facebook are currently being used to distribute a password stealing Trojan, which we detect as Trj/Spyforms.BZ. Some of you may remember the Spyforms Malware family from a previous incident involving Barack Obama spam campaigns. In this most recent incident, the malicious web links are still primarily distributed via spam e-mails. Once clicked, the victim is presented with a realistic looking Classmates or Facebook website. The website contains a fake YouTube video, which prompts a dialog stating “Please Download correct Flash Movie Player! Installation: Double-click the downloaded installer. Follow the on-screen instructions!” and attempts to download a file named Adobemedia10.exe or Adobemedia11.exe.

Once installed, the Trojan intercepts network traffic in order to obtain ftp, icq, pop3, and imap passwords and then sends the data back to a server in a Hong Kong based ISP (HOSTFRESH). You may recall the last major Malware incident involving the Hong Kong based ISP, which was one of the providers involved in the malware distribution operation taking place inside of the Atrivo/Intercage network.

PandaLabs : Hostfresh

Facebook Malware Refocusing on Bank of America

Malware Impersonates Classmates and Facebook Websites to Deliver Password Stealing Trojan