Ramnit's heist bags 45,000 Facebook passwords

Jan 06, 2012 by Nancy Owano report
Number of Ramnit Infected Machines Between September 2011 and December 2011. Image: Seculert.

(PhysOrg.com) -- Ramnit, the bank-thieving worm, is at it again, this time scoffing up Facebook accounts. The latest oh-look-another-threat is one that security watchers say could get ugly. Ramnit has grown up since it was first discovered as a virus in the wild in 2010. Security company Seculert has posted a January 5 blog saying that Ramnit has stolen 45,000 Facebook login credentials. The accounts are mostly in the UK and France. The security firm, which has been tracking Ramnit, discovered the stolen Facebook cache in its Seculert labs. Seculert in turn passed on to Facebook the stolen credentials that it found on Ramnit servers.

Ramnit’s command and control center is visible and accessible, and the security experts were able to determine the precise number of Facebook victims, which consisted of 69 percent from the UK, 27 percent from France and 4 percent from other countries.

When Ramnit first started causing mischief in 2010 it was considered as a low-level threat, comments SearchSecurity.com.

That assessment has changed. Ramnit’s operators were able to graduate from an older generation of techniques to infect files to morph it into something more powerful, adding Zeus source code to the mix. Trusteer, another security company, warned that the worm had acquired the ability to inject HTML code into a web browser.

A worm is a type of malware that secretly integrates itself into program or data files, and infects more files each time the host program is run. Ramnit can infect Windows executable files, HTML files and other file types.

Ramnit’s subsequent target was finance, bypassing two-factor authentication and transaction signing systems. In gaining remote access to financial institutions, Ramnit was able to compromise online banking sessions and was able to penetrate corporate networks.

Even before the latest Facebook heist, Seculert, using a sinkhole security tool, counted 800,000 machines as infected with Ramnit from September to the end of December 2011.

Ramnit’s presence is not immediately obvious. The worrisome nature of Ramnit is compounded by the fact, say experts, that users tend to use the same password for a number of web-based services, which may include not only Facebook but their mail, a VPN, and others..

Blogger reactions to the news have ranged from “Change your passwords, and often!” to “Don’t click any links, never, no matter from who or how interesting!”

Considering the very definition of social networks and why they are used, that kind of advice may be timely but curiously counter to the whole point. Suspecting friends and relatives of having virus-choked messages and afraid to share links for fear of infection run counter to the reason why users sign on to social networks. Behavioral trends and countertrends will get interesting too.

Another troubling sign of the times is what cybercriminals now see as choice game. E-mail are so Yesterday, say computer experts.

Malware writers are replacing old-school worms transmitted via email with their malware now targeted for social-networks.

Explore further: Twitter rules out Turkey office amid tax row

More information: blog.seculert.com/2012/01/ramnit-goes-social.html

Related Stories

Facebook fights 'phishing' scam

May 01, 2009

Facebook Thursday said it has blocked a link at the heart of a "phishing" scam being used to dupe members into revealing passwords to accounts at the social networking website.

Free app protects Facebook accounts from hackers

Jun 21, 2011

(PhysOrg.com) -- Two University of California, Riverside graduate students and a company run by an alumnus of the school have partnered to develop a free Facebook application that detects spam and malware ...

Facebook adds 'app' passwords to site security

Oct 27, 2011

Facebook is ramping up security by giving people the option of setting passwords for games or other third-party applications added to pages at the leading online social network.

Recommended for you

Net neutrality balancing act

12 hours ago

Researchers in Italy, writing in the International Journal of Technology, Policy and Management have demonstrated that net neutrality benefits content creator and consumers without compromising provider innovation nor pr ...

Twitter rules out Turkey office amid tax row

Apr 16, 2014

Social networking company Twitter on Wednesday rejected demands from the Turkish government to open an office there, following accusations of tax evasion and a two-week ban on the service.

How does false information spread online?

Apr 16, 2014

Last summer the World Economic Forum (WEF) invited its 1,500 council members to identify top trends facing the world, including what should be done about them. The WEF consists of 80 councils covering a wide range of issues including social media. Members come ...

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

_nigmatic10
5 / 5 (1) Jan 06, 2012
Grats ramnit creators. you now have 45k accounts to play farmville on. Poor FB will be a target for these things for some time to come.

More news stories

Hackathon team's GoogolPlex gives Siri extra powers

(Phys.org) —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

Better thermal-imaging lens from waste sulfur

Sulfur left over from refining fossil fuels can be transformed into cheap, lightweight, plastic lenses for infrared devices, including night-vision goggles, a University of Arizona-led international team ...

Deadly human pathogen Cryptococcus fully sequenced

Within each strand of DNA lies the blueprint for building an organism, along with the keys to its evolution and survival. These genetic instructions can give valuable insight into why pathogens like Cryptococcus ne ...