Principal security firms detected a new variant of Facebook Zeus malware that is exploiting the popular social network to target user’s bank accounts.
How does Facebook Zeus steal victim’s credentials?
ZBOT connects to a remote site to download its encrypted configuration file containing the following information:
- Site where an updated copy of itself can be downloaded
- List of websites to be monitored
- Site where it will send the stolen data
“These configuration files contain banks and other financial institutions that ZBOTs monitor in browsers. Since configuration files are downloaded from remote sites, the contents of these files may change any time. Malicious actors can change the list of sites they want to monitor on the affected system.” reported TrendMicro post.
“Best way to describe how we uncover the Zeus Malware is as follows. I observed that the Russian Business Network was created Fake Facebook Profiles that were posted .tk links to websites selling counterfeit Merchandise. The .tk links caught my attention when i did url query of these .tk links url query report listed these as likely hostile and from the Russian Business Network. I turn the links over to a colleague who identified the Zeus Botnet”