14 DAY TRIAL // Security researchers from Sophos warn of a new localized Facebook attack, which tries to infect Croatian users with a password stealing trojan via a rogue Java applet.
As usual, the attack begins with rogue messages sent from compromised accounts. They advertise a Facebook app allegedly capable of adding a new "Love" button, similar in functionality to the "Like" one.
The spammed links take users to a page hosted on an external server, which shows a fake screenshot with the love button in action and contains instructions on how to obtain the feature.
Users are told to select "Run" on the pop-up box that appears when trying to install the app. They are also encouraged to like the page and are told that the love button will show up on their profile in 24 hours.
The pop-up is actually an unsigned Java applet containing malicious code, which attempts to download and execute two additional components from remote servers.
One of them is a trojan designed to steal Facebook credentials stored inside Internet Explorer, Firefox or Chrome.
According to Vanja Svajcer, the principal SophosLabs virus researcher who analyzed the threat, the malware was likely created with a trojan generator called Facebook Hacker.
This do-it-yourself kit was discovered back in August and is freely available for download on underground websites.
Attackers only need to specify an email address where the stolen information will get sent to and the SMTP credentials to use when doing so.
"In this case the attacker chose to add a layer of a commercial software protection code, to evade the anti-virus detection," Mr. Svajcer notes.
This attack combines two techniques observed in Facebook-related attacks recently. One is the localization, which suggests that attackers are looking to increase their pool of potential victims by targeting non-English speakers.
There other is the Java applet attack vector, which has recently been used to infect both Windows and Mac users with a social networking trojan called Boonana.