Ramnit worm steals 31,000 UK Facebook logins

Ramnit worm steals 31,000 UK Facebook logins

Summary: Researchers have found a new variant of the Ramnit worm to be targeting Facebook, but the social networking firm has downplayed the impact

SHARE:
TOPICS: Security
5

Hackers have used a Ramnit worm variant to harvest 31,000 Facebook usernames and passwords from British users, but most of the stolen information is out of date, according to the social-networking company.

Ramnit infection chart

Hackers have used a Ramnit worm variant to harvest 31,000 Facebook usernames and passwords from British users. Image credit: Seculert

Threat assessment company Seculert said on Thursday that the financial fraud Trojan Ramnit, which has existed in one form or another since at least April 2010, has now "gone social" and is using Facebook to spread. According to Seculert's analysis, around 69 percent of those targeted were in the UK and 27 percent in France.

"Recently, our research lab identified a completely new 'financial' Ramnit variant aimed at stealing Facebook login credentials," Seculert said. "Since the Ramnit Facebook [command and control server] URL is visible and accessible it was fairly straightforward to detect that over 45,000 Facebook login credentials have been stolen worldwide, mostly from users in the United Kingdom and France."

It appears that sophisticated hackers are now experimenting with replacing the old-school email worms with more up-to-date social network worms.

– Seculert

Ramnit is three-component malware that can infect Windows executable files, Microsoft Office and HTML files, using the latter to replicate itself, according to Microsoft and McAfee. In August, the worm became a tool for perpetrating financial fraud, after malware writers linked it up with leaked Zeus Trojan source code. Seculert, which said it detected Ramnit on 800,000 computers in the final three months of 2011, described the shift to Facebook as a new "twist".

"With the recent Zeus Facebook worm and this latest Ramnit variant, it appears that sophisticated hackers are now experimenting with replacing the old-school email worms with more up-to-date social network worms," Seculert said.

"We suspect that the attackers behind Ramnit are using the stolen credentials to log into victims' Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware's spread even further," it said. "In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc) to gain remote access to corporate networks."

Data 'out of date'

Seculert sent Facebook the harvested data it had found last week. On Thursday, the social-networking company acknowledged that user login credentials had been collected, but said most of them are invalid.

"Our security experts have reviewed the data, and while the majority of the information was out of date, we have initiated remedial steps for all affected users to ensure the security of their accounts," Facebook said

Speaking to ZDNet UK, a spokesman for the social-networking company refused to be drawn on how many user logins constituted a "majority". He did give more details on the remedial steps being taken, saying these involve putting people affected into a security "roadblock".

"Account activity is locked down until they pass through this roadblock, where they must reset their password," the spokesman said.

Facebook also said it had detected no evidence of Ramnit spreading via its site.

"Thus far, we have not seen the virus propagating on Facebook itself, but have begun working with our external partners to add protections to our antivirus systems to help users secure their devices," it said.


Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topic: Security

David Meyer

About David Meyer

David Meyer is a freelance technology journalist. He fell into journalism when he realised his musical career wouldn't pay the bills. David's main focus is on communications, as well as internet technologies, regulation and mobile devices.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • who on earth is sad enough to steal facebook logins? if anyone actually cares that their login has been stolen then they deserve it. social networking was supposed to be fun at first, now people depend on it. its rediculous, no I dont have facebook and I still have contact with my friends that matter
    aba@...
  • Hackers have used a Ramnit worm variant to harvest 31,000 Facebook usernames and passwords from British users.
    Update your Anti Virus Now.
    anonymous
  • @ qazwsxedcrfvtgby . I find it disturbing that you can be so short sighted. How many of your passwords, pin numbers and user names have nothing to do with your life experiences. Identity theft is a major crime because of the financial and employment repurcussions that can occur. Stealign log-in credentials is not the main aim of such a virus, access to sensitive information that msot consider to be 'safe' is incredibly serious. Access to adresses, family details, medical issues to name a few. Think before condemning even if on the surface your argument seems to make sense.
    anonymous
  • Lol they're more than welcome to my Facebook, have fun looking at the loads of mindless junk on it, just like every other facebook account.
    Mombasa69
  • It scared that facebook account would be hacked, there are no of hacking companies are hacked facebook active accounts. Mostly its due to IPs details. We should try Secure Ip to connect our facebook account. its only due to VPN software.
    UK VPN