Earlier this month, a threat research team detected malicious activity through internal feeds of a group stealing user credentials and payment methods from Facebook users. This group utilizes phishing as the main form of obtaining the information by downloading a painting application through e-mail or directly through Facebook’s interface. “Relieve Stress Paint” is the offending application and although its name should strike a peculiar note, it’s relatively non-threatening in appearance. After the program is installed, it will run a malware program simultaneously called ‘stresspaint’ in the background.
Once downloaded, ‘stresspaint’ will open a window showing the program to the user, yet it’s merely a guise to coverup what is going on behind the scenes. The program immediately starts dropping files on the system to quietly steal browser cookies and saved passwords in Chrome. This occurs when the program is initially run, if the user executes the program again, and every time the computer is restarted. Additionally, by leveraging a specific data theft method, the creator of this malware focused on trying to keep the program hidden as long as possible.
After only a few days, this malware had infected over 40,000 users and stealing thousands of Facebook user credentials. Because of the swiftness of infection and rapid distribution, it is believed the malware was professionally written. These offenders seem to only be interested in users with Facebook profiles and who have stored payment methods on the site. Since there are an overwhelming amount of people who use Facebook, it makes this attack much more serious. What’s even more concerning, however, is the group has a dedicated section in their control panel for an attack on Amazon, where everybody has store payment information.
It is always prudent to check email for trusted domains. Especially if that e-mail contains any links. Facebook offers a list of valid security-related emails that were sent out to use as a tool to compare if you are unsure of its legitimacy.