Facebook password stealer; hacking the attacker rather than victim

August 11, 2017

2 minute read

Facebook password stealer; hacking the attacker rather than victim

How to hack a Facebook account is one the most searched keywords over the Internet and there are if not thousands then hundreds of websites claiming to provide Facebook account hacking service. But are these sites doing what they claim? Not at all.

According to a Twitter user going by the handle of MalwareHunterTeam, a group of cyber criminals is claiming to have developed a “Facebook password stealer.” However, in reality, installing it on your device opens doors for the hackers to not only steal your Facebook password but also other data including personal and financial.

The researchers discovered that the Facebook password stealer software installs a remote access Trojan (RAT) called njRAT (also known as Bladabindi), first discovered in 2012 developed by Arabic speaking criminals. The Microsoft Malware Protection Center has also rated it as “severe”.

A scan on VirusTotal, a Google owned platform helping users and researchers to scan malicious files, documents and URLs shows that 24 anti-virus software discovered that the Facebook Password Stealer installer contains a backdoor infection.

This “Facebook Password Stealer” not only will send your credentials to an actor instead of hacking your target, but installs njRAT also.
😂 pic.twitter.com/pCRftqBkpF

— MalwareHunterTeam (@malwrhunterteam) August 3, 2017

Once the user installs the so called Facebook Password Stealer, they allow attackers to:

Take remote control of the device

Remotely gain access into the victim’s desktop or active window

See the victim’s IP, full computer name, full username, OS, install date, and country

Remotely execute a file from disk or URL

Manipulate files

Open a remote shell, allowing the attacker to use the command line

Open a process manager to kill processes

Manipulate the system registry

Record the computer’s camera and microphone

Log keystrokes

Steal passwords stored in browsers or other applications

Facebook is not the only social media site whose users are continuously targeted by cyber criminals; several silly password stealers are claiming to steal Twitter login credentials as well. However, for unsuspecting users installing such software can end up with them losing their credit card details, social media credentials, personal videos, and images, etc.

Therefore, don’t get tricked while planning to trick others and avoid downloading such programs and apps on your device. Stay safe online and let others do the same.

Security

How You CAN Delete Almost any video on YouTube

Recently Google announced its current experimental program named Vulnerability Research Grants (VRG). No doubt it is a great…

byWaqas

$The New Multilingual Android Malware Targeting Devices for Phishing and Cryptomining. ‘Roaming Mantis uses DNS hijacking to infect Android smartphones’ was the title of a blog post from Kaspersky Lab published in April 2018 that provided details about the notorious Roaming Mantis malware that performs targeted operation to hijack Android devices. The malware is believed to be evolving rapidly and aims at capturing sensitive user data by infecting the Android device. “Their landing pages and malicious apk files now support 27 languages covering Europe and the Middle East. In addition, the criminals added a phishing option for iOS devices, and crypto-mining capabilities for the PC,” read Kaspersky Lab’s blog post. In fact, it is capable of performing an array of diverse functionalities including cryptocurrency mining and iOS device phishing apart from targeting Android devices for stealing information. As per Kaspersky Lab’s researcher Suguru Ishimaru, the previous campaign involving Roaming Mantis was also analyzed by Kaspersky Lab and the findings were detailed in its blog post “The Roaming Mantis campaign evolved significantly in a short period of time.” The attacks have been expanded to around 27 different languages including English, Hindi, Russian, Chinese, and Hebrew. Originally the malware was distributed in five languages but now the range has been expanded using an automatic translator. The full list of languages can be accessed here. Developed to be distributed through DNS hijacking, the malware is currently most active in Asian regions including Bangladesh, India, Japan and South Korea, according to Kaspersky Lab’s telemetry data analysis. However, there are also reports of the malware targeting devices in the Middle East and Europe. Roaming Mantis, also known as MoqHao and XLoader, redirects victims to a malicious web page through DNS hijacking while the page is distributed through a fake and infected Facebook or Chrome application (titled 'facebook.apk' or 'chrome.apk'). The application, which contains an Android Trojan-Banker, has to be installed manually by the victim. However, researchers noted that the comments are posted in Simplified Chinese. To hijack iOS devices, a fake page mimicking the official Apple website is distributed that claims to be ‘security.app.com’. The page requires the victim to provide user ID, passwords, CVV, card expiration and card number. Nearly 25 languages are being supported by this site’s HTML source and only Bengali and Georgian are eliminated. Roaming Mantis is also capable of stealing private and sensitive data from Apple and Android mobile phones while cryptocurrency mining is performed by the inclusion of a special script in the malware’s HTML source code, which gets executed whenever the browser is opened. Additionally, a Coinhive Javascript miner is executed to exploit the device’s CPU to mine Monero cryptocurrency. In comparison to other attacks, Roaming Mantis’ cryptocurrency mining is quite subtle. This means a majority of users may not even notice that their device’s resources are being used for mining. “Coinhive is the most popular web miner used by cybercriminals around the world. When a user connects to the landing page from a PC, the CPU usage will drastically increase because of the crypto mining activity in the browser,” explained Kaspersky Lab researchers. So far, about 150 successful attacks have been observed but according to Kaspersky Lab, it more or less represents just a “tiny fraction of the overall picture,” since when DNS hijacking is involved, it becomes quite difficult to identify targets.$