Shortly after it started targeting users of social networking giant Facebook, a computer worm has stolen more than 45,000 Facebook login credentials worldwide.
Cyberthreat management site Seculert said most of the credentials appeared to be from people in the United Kingdom and France.
“Recently, our research lab identified a completely new ‘financial’ Ramnit variant aimed at stealing Facebook login credentials. Since the Ramnit Facebook C&C URL is visible and accessible it was fairly straightforward to detect that over 45,000 Facebook login credentials have been stolen worldwide, mostly from users in the United Kingdom and France,” it said.
It said the attackers behind Ramnit appear to be using the stolen credentials to log in to victims’ Facebook accounts and to transmit malicious links to their friends, “thereby magnifying the malware’s spread even further.”
Worse, it said cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks.
Seculert said Microsoft had described Ramnit as “a multi-component malware family which infects Windows executable as well as HTML files.”
It steals sensitive information such as stored FTP credentials and browser cookies.
A Symantec report in July 2011 estimated that Ramnit worm variants accounted for 17.3 percent of all new malicious software infections.
In August 2011, Trusteer reported that Ramnit went “financial.”
“Following the leakage of the ZeuS source-code in May, it has been suggested that the hackers behind Ramnit merged several financial-fraud spreading capabilities to create a ‘Hybrid creature’ which was empowered by both the scale of the Ramnit infection and the ZeuS financial data-sniffing capabilities,” it said.
Such a synergy has enabled Ramnit to bypass two-factor authentication and transaction signing systems, gain remote access to financial institutions, compromise online banking sessions and penetrate several corporate networks.
“With the use of a Sinkhole, we discovered that approximately 800,000 machines were infected with Ramnit from September to end of December 2011,” it said.
Social network worms replacing email worms
With the recent ZeuS Facebook worm and this latest Ramnit variant, Seculert theorized sophisticated hackers are now experimenting with replacing the old-school email worms with more up-to-date social network worms.
“As demonstrated by the 45,000 compromised Facebook subscribers, the viral power of social networks can be manipulated to cause considerable damage to individuals and institutions when it is in the wrong hands,” it said.