Facebook login & password theft en masse: Ramnit slurps 45,000

Mark Zuckerberg
Facebook logins and passwords are now being stolen by the Ramnit worm. An estimated 45,000 have so far been lifted by this sophisticated, hybrid malware. It's presumably an effort to break into more bank accounts. In IT Blogwatch, bloggers rush to change their passwords.

Your humble blogwatcher (@richi ) curated these bloggy bits for your entertainment. Not to mention: Kate gets her warning...

    Jeremy Kirk sets reporting to Heavy-Stun:

The worm, called Ramnit, infects Windows executables, Microsoft Office and HTML files...steals user names, passwords, browser cookies. ... .

...

Once the Facebook login and password have been collected, it is suspected that...a link is posted on their Facebook profile that leads to Ramnit.

...

A Symantec report from July 2011 put Ramnit as the most common piece of malware it blocked.   
M0RE

   John Leyden adds, poetically:

Ramnit differs from other worms, such as Koobface, that have used Facebook to spread because it...has only recently extended onto social networks.

...

Ramnit first appeared in April 2010. ... [It's now] able to bypass two-factor authentication and transaction-signing systems.

...

The move onto Facebook...seems designed primarily to expand the malware's distribution network and infect more victims. ... [It] follows the November outbreak of an earlier worm that tried to infect victims with a variant of ZeuS.   
M0RE

Seculert's Aviv Raff blogs the discovery:

Ramnit merged several financial-fraud spreading capabilities to create a Hybrid...which was empowered by both the scale of the Ramnit infection and the ZeuS financial data-sniffing capabilities.

...

With the use of a Sinkhole, we discovered that approximately 800,000 machines were infected with Ramnit from September to end of December 2011.

...

Recently, our research lab identified a completely new 'financial' Ramnit variant aimed at stealing Facebook login credentials. ... [The] viral power of social networks can be manipulated to cause considerable damage.   
M0RE

But Emil Protalinski says the problems not as bad as it seems:

I contacted Facebook for further details, and it turns out that the 45,000 number comes with a little asterisk...“over half of these logins were either invalid or had old/expired passwords,” a Facebook spokesperson said.

...

Still, that leaves a good 20,000 users affected. ... [Facebook] got off easy [but] this is not the first time and it’s definitely not the last time.   
M0RE

Meanwhile, Tony Bradley's here to help:

[T]hink twice about clicking on links...or opening any file attachments from any contacts on any...Web-based services. You should be especially skeptical...[about] an obscure link out of the blue.

...

[Do] not use the same username and password...for more than one service. ... [The] attackers shouldn’t also be able to hack into your bank account...or anywhere else using those same credentials.   
M0RE

   And Finally...
Kate gets her warning

  
 
Don't miss out on IT Blogwatch:

Richi Jennings, your humble blogwatcher

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. He's the creator and main author of Computerworld's IT Blogwatch -- for which he has won American Society of Business Publication Editors and Jesse H. Neal awards on behalf of Computerworld. He also writes The Long View for IDG Enterprise. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: itbw@richij.com. You can also read Richi's full profile and disclosure of his industry affiliations.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies