We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Facebook used as billboard for malware

A cybercriminal has taken to selling his malware and related services on Facebook, boldly choosing a public forum to reach potential customers over the secretive world of the online underground.

RSA researchers recently discovered on the popular social network what appeared to be an Indonesian-speaking malware developer selling a customized botnet control panel programmed to work with the Zeus banking Trojan. First released in 2007, Zeus is a highly effective malware used to steal online banking and e-commerce credentials from an infected computer.

Most developers and botnet owners will sell their malware and services on invitation only forums frequented by cybercriminals. In this case, the developer and his team are apparently looking for people who don't have the technical chops to participate in the forums, but are looking for an easy way to get started in the lucrative business of cybercrime, RSA said on Friday.

The developer sold the code for his own variant of Zeus, packaged and ready for use. In addition, a person could lease a botnet and buy a beginner-friendly control panel for distributing Zeus and harvesting credentials or launching a distributed denial of service (DDoS) attack. Tutorials and support were also available.

The Facebook Page discovered by RSA advertised the malware and services and provided a link to a website where a potential buyer could see a demonstration. In addition, the page provided frequent updates and information about botnets, exploits, cybercrime and the developer's own malware, Zeus v 1.2.10.1. RSA did not know about pricing.

RSA notified Facebook about the page. Facebook did not respond on Friday to CSO's request for comment.

[Also see: Cybercriminals are just businessmen at heart]

The advertisement was the first RSA had seen on a public social network. In general, such a move would increase the risk of getting caught by international cyber police. However, RSA believes the criminal is likely living in a country with weak or nonexistent laws against such activity.

"Even if his country found out his true identity, they [probably] wouldn't go after him," said Berk Veral, senior product manager for RSA FraudAction.

Many variants of Zeus have appeared since its source code was released in the underground in 2011. Why the code was made public is not known. Some experts have speculated that the owner, who went by the name "Gribodemon" or "Harderman," wanted to devalue Zeus in order to increase sales of his hybrid SpyEye Trojan.

Cybercriminals often hijack Facebook accounts to distribute spam or to embed links to malicious sites. Whether the latest audacious move marks a trend is too soon to say, Veral said.

"That remains to be seen," he said. "This is a bold, bold act."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

LED vs Halogen: Why now could be the right time to invest in LED bulbs

IDG UK Sites

Christmas' best ads: See great festive spots studios have created to promote themselves and clients

IDG UK Sites

Why Apple shouldn't be blamed for exploitation in China and Indonesia