Tens of thousands of Facebook accounts have become targets of a malware concealed in the form of a paint program for relieving stress. Researchers from the security firm, Radware, showed some very interesting things about how this program operates. The ‘Relieve Stress Paint’ is available via a domain that uses a Unicode representation and shows up in search engines and emails.
Harmless Paint Program Not So Harmless
The researchers suspect that the program is probably being promoted via spam emails. When it gets installed, the malware appears to be a harmless paint program that changes colors, line sizes etc. However, what’s happening behind the scenes is actually of consequence. It copies data from Chrome which includes cookies and saved Facebook passwords.
Every time a target restarts their computer or opens the program, the ‘Stresspaint’ as dubbed by Radware, copies the Facebook credentials. This stolen data is then sent to a command-and-control server. The researchers managed to access this command server and found that over 40,000 computers had been compromised because of this malware. As a results thousands of Facebook accounts became targets. Any payment details tied to the account, contact details of friends, pages managed by the account etc. were also compromised.
Malware Threat To Users All Around The World
The command interface also had a section where the victims’ Amazon account credentials were seen. The section was,however,empty and the researchers believe that the code for this section was probably not enabled. Another variant of this malware was also indicated in the control panel. Now you must be wondering why any antivirus did not detect such a malware. The answer is simple. The malware was designed to be undetectable. The copying process took less than a minute so antiviruseses did not detect it. The malware was basically just copying cookies and passwords by querying the copies of original cookies and LoginData files. Very simple, but very lethal.
It is not known what the attackers did with these details. It is speculated that it must have been sold on criminal forums, used for identity theft or for making payments on e-commerce sites. If anyone has been infected by this malware, then they should immediately change their passwords and check the security and login section for any unrecognized computers or login activity. Multifactor authentication is always a good idea but it isn’t clear whether this could have stopped the attackers or not. Since cookies were also stolen, there is a possibility that the cookies allowed the attackers to break this protection too.
Facebook officials wrote in a statement: “We are investigating these malware findings and we are taking steps to help protect and notify those who are impacted.”
Share Tweet Submit