Malware tricks Facebook users into exposing credit cards

Malware tricks Facebook users into exposing credit cards

Summary: Security firm Trusteer has discovered a new piece of malware that tricks Facebook users into handing over their credit card, debit card, and/or social security numbers.


A new variant of the Ice IX malware tricks Facebook users into exposing their credit card, debit card, and/or social security numbers. The malware does this by displaying a separate Web form inside a browser pop-up window, which looks similar to Facebook's design, when you navigate to the social network's login webpage. One of the version of this malware ask for the following: Cardholder name, Credit or debit card number, Expiry date, Card identification number, and Address on your monthly statement.

As you can see in the screenshot above, courtesy of Trusteer, the attackers claim the information is needed to verify the victim's identity and provide additional security for their Facebook account:

In order to provide you with extra security, we occasionally need to ask you for additional information. We need to verify your identity with a credit or debit card. Please enter the information below to continue.

In other words, if you don't want to hand over your credit card or debit card, you won't be able to continue to your Facebook account.

The security firm even discovered a "marketing" video circulating in underground forums, presumably used by the creators of the malware to demonstrate how the web injection works as a selling point to anyone who wants to steal the information from unsuspecting Facebook users. The video shows the whole web injection process.

First, a criminal logs in to his or her Facebook account. Next, the pop up presents the aforementioned message, although it also requests a social security number and date of birth. The criminal fills out the fields, and finally the information entered is shown being delivered to his or her messenger application. Once the rogue form is submitted, the malware forwards the sensitive information to its authors via instant message, so it can be abused as soon as possible.

"This video illustrates the seamless sophistication of pre-built webinjects that are readily available for purchase on the internet," Trusteer CTO Amit Klein said in a statement. "It also demonstrates how accomplished criminals are at marketing their malware products. Most of all, this attack highlights how fraudsters are branching out from their 'bread and butter' online banking schemes into lateral applications with much larger user populations. By attacking Facebook and other ubiquitous social networks fraudsters can tap a massive pool of victims. They can also use the information harvested from social network users to perpetuate fraud on multiple in fronts including online banking, retail, and even to penetrate enterprise and government networks."

Facebook will never ask for your credit card number, debit card number, social security number, or any other sensitive information on the site or via e-mail. That being said, while Facebook will never ask for your password over e-mail, in certain cases the company will and does ask for your password even if you are already logged in, as I learned last month.

I have contacted Facebook about this piece of malware and will update you if I hear back.

See also:

Topics: Social Enterprise, Banking, Malware, Security

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Really stupid...

    You would have to be really stupid to fall for this.
    • Simple Soultion

      There is a simple solution for this scam:

      [b]don't use Facebook[/b].
  • Intelligence test

    Anyone who actually enters the requested information fails the above test, and shouldn't be allowed to have a digital watch, much less any type of computing device.
  • Simple Solution?

    A agree, DON'T USE FACECROOK! And yes there are 65535 I/O Ports using option base 0, or 65536 using option base 1.
    Denny Fry
  • Facebook doesn't need to spoof anything. They ALREADY have your info!!!

    After our "page" hit 100 likes, Facebook emailed me a FREE $50 AD coupon to use for Facebook ads. When I setup the ad and then went to enter the coupon code, MY personal Debit Card info was already assigned to this FREE $50 account WITHOUT ever entering that information ANYWHERE on Facebook! There is something I consider damn close to Identity Theft going on behind the doors of Facebook. Be warned! I cancelled the ad due to this fact. When I sent this Facebook Ads problem to their attention, I got back a canned response that NEVER addressed my concern or "HOW" they got my information out of the blue. Big brother now has a new bastard son. I agree with the other comments about spoofing Facebook, but this goes way beyond that. This _IS_ FACEBOOK!
  • Oh Yes, they do!

    "...Facebook will never ask for your credit card number, debit card number, social security number, or any other sensitive information on the site or via e-mail. ..."

    I guess you have never placed a Facebook Ad.