Carberp Trojan Variant Demands Money to “Unlock” Facebook Accounts

struggle with moneyResearchers at security firm, Trusteer have stumbled upon a new variant of the Carberp Trojan that’s tricking users into paying money in order to “unlock” their Facebook account.

The original version of the Carberp Trojan was designed to steal sensitive data like banking information or login credentials and transmit the stolen data to a remote server. However, the miscreants behind Carberp have kept busy by constantly tweaking and updating the malware with new features.

The most recent version of Carberp targeting Facebook users launches a man-in-the-browser attack, replacing any Facebook page that the user visits with a spoofed page claiming that their Facebook account has been “temporarily locked” –

Fraudulent Facebook Page from Carberp Trojan

“To confirm verification you have to enter 20 euro Ukash voucher. Ukash vouchers are sold by ukash.com website and Ukash.com is not affiliated with Facebook company. 20 euro will be added to your Facebook main account balance. The verification is used to confirm your age and country of origin. The Ukash voucher consists of 19 numbers and face value (sum), begins on “633”. For example: 6337180116517630998”

In order to regain access, the user must “confirm their identity” by providing their full name, email address, year of birth, password, and a €20 ($25 USD) Ukash voucher number.

Contrary to what the page says, the €20/$25 cash voucher will not be “added to your main Facebook account balance”, but instead sent off to the bad guys behind the Carberp Trojan, who then has the ability to use it as a cash equivalent.

The real downer is that just like Western Union wire transfers demanded in email scams, there is little-to-no chance of you recovering the money paid via Ukash vouchers.

Trusteer recommends that users be suspicious of odd/non-conventional requests even when they originate from a trusted website. It’s also suggested to use browser-based security tools that secure communication between the computer and target website to block MitB attack methods like HTML injection and prevent keylogging from grabbing data.

The Carperb Trojan is commonly spread via malicious email attachments and drive-by-downloads, so users can minimize their chances of an infection by running up-to-date antivirus software and opting not to download files attached to emails from unknown sources.

Money slave photo credit: Vector Portal
Carberp Facebook page credit: Trusteer

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

This entry was posted in Computer Security, internet scam, malware, scam and tagged , , , , .
Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

© 2014 Hyphenet, Inc.
1761 Hotel Circle S, Suite 350, San Diego, CA 92108

All rights reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited.

Hyphenet IT Security Blog located at 1761 Hotel Circle South, Suite 350 , San Diego, CA . Reviewed by 91 customers rated: 3.8 / 5