A new iteration of the Carberp trojan is targeting Facebook users, but unlike most Facebook attacks that attempt to pinch login credentials, this one is trying to steal money by fooling users into handing over an e-cash voucher.
According to a report from Trusteer’s Amit Klein, the Carberp trojan replaces its victims’ Facebook pages with a counterfeit one when they try to visit the social network. The fake page then notifies the user that their account has been temporarily locked and asks them for their first and last name, email address, date-of-birth, password, and a Ukash voucher for 20 euro to “confirm verification.” The scam goes onto claim that once the voucher is received, the account will be unlocked and the 20 euro will be “added to the user’s main Facebook account balance.”
Of course, the Facebook account isn’t locked. This is just your standard man-in-the-browser attack. Anyone unfortunate enough to comply with the Ukash request is essentially putting 20 euro in the pocket of the Carberp bot-master, not to mention submitting their password, email address, and some personal information as well.
Klein claims that this attack is a particularly clever one because similar attacks against banking applications, at some point, require the attacker to transfer money to another account, thus leaving a trail. In this case, the scammer can just sell or use the voucher wherever it’s accepted immediately, leaving very little trail.