Ramnit worm steals 31,000 UK Facebook logins

Hackers have used a Ramnit worm variant to harvest 31,000 Facebook usernames and passwords from British users, but most of the stolen information is out of date, according to the social-networking company.

Hackers have used a Ramnit worm variant to harvest 31,000 Facebook usernames and passwords from British users. Image credit: Seculert

Threat assessment company Seculert said on Thursday that the financial fraud Trojan Ramnit, which has existed in one form or another since at least April 2010, has now "gone social" and is using Facebook to spread. According to Seculert's analysis, around 69 percent of those targeted were in the UK and 27 percent in France.

"Recently, our research lab identified a completely new 'financial' Ramnit variant aimed at stealing Facebook login credentials," Seculert said. "Since the Ramnit Facebook [command and control server] URL is visible and accessible it was fairly straightforward to detect that over 45,000 Facebook login credentials have been stolen worldwide, mostly from users in the United Kingdom and France."

It appears that sophisticated hackers are now experimenting with replacing the old-school email worms with more up-to-date social network worms.

– Seculert

Ramnit is three-component malware that can infect Windows executable files, Microsoft Office and HTML files, using the latter to replicate itself, according to Microsoft and McAfee. In August, the worm became a tool for perpetrating financial fraud, after malware writers linked it up with leaked Zeus Trojan source code. Seculert, which said it detected Ramnit on 800,000 computers in the final three months of 2011, described the shift to Facebook as a new "twist".

"With the recent Zeus Facebook worm and this latest Ramnit variant, it appears that sophisticated hackers are now experimenting with replacing the old-school email worms with more up-to-date social network worms," Seculert said.

"We suspect that the attackers behind Ramnit are using the stolen credentials to log into victims' Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware's spread even further," it said. "In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc) to gain remote access to corporate networks."

Data 'out of date'

Seculert sent Facebook the harvested data it had found last week. On Thursday, the social-networking company acknowledged that user login credentials had been collected, but said most of them are invalid.

"Our security experts have reviewed the data, and while the majority of the information was out of date, we have initiated remedial steps for all affected users to ensure the security of their accounts," Facebook said

Speaking to ZDNet UK, a spokesman for the social-networking company refused to be drawn on how many user logins constituted a "majority". He did give more details on the remedial steps being taken, saying these involve putting people affected into a security "roadblock".

"Account activity is locked down until they pass through this roadblock, where they must reset their password," the spokesman said.

Facebook also said it had detected no evidence of Ramnit spreading via its site.

"Thus far, we have not seen the virus propagating on Facebook itself, but have begun working with our external partners to add protections to our antivirus systems to help users secure their devices," it said.