The botnet leveraged multiple variants of the Yahos malware, which steals computer users’ credit card, bank account and other personal identifiable information. The arrested group is a diverse bunch, hailing from Bosnia and Herzegovina, Croatia, Macedonia, New Zealand, Peru, the UK and the US.
According to IGL Security, the Yahos worm most commonly uses IM services to spread infections. A Yahos-infected machine will normally send messages with content like "Foto :D” or "How does this photo look?” with an attached malicious file/link payload that normally has an innocuous name, such as photo.exe or facebook-pic.exe, so that the normal user would pay no attention to the file extension.
IGL noted that “now that social networking is being used more often than IMing in some places, the common IM worm is getting upgrades. A few newer variants have been spotted using the IM services of Facebook. Most of these worms connect to an IRC server to get bot commands.”
Indeed, a version of Yahos created by the cyber-ring targeted Facebook users from 2010 to October 2012. Fortunately, the FBI said that Facebook’s security systems were able to detect affected accounts and provide tools to remove these threats.
Facebook’s security team provided assistance to law enforcement throughout the investigation by helping to identify the root cause, the perpetrators and those affected by the malware, the FBI said.
“The Yahos malware is reported to propagate via social engineering, and naturally it thrives in the hotbed of social networks,” said Tal Be’ery, web research team leader at Imperva, in an email to Infosecurity. “Users naturally trust messages they receive from friends and will follow the link and will get infected themselves and the malware will try to spread to all of their friends, ad infinitum.”
He added, “using Facebook’s security team, the FBI was probably able to track the propagation of malware to its origin and discover “Patient Zero” of the Yahos epidemic, [which] was probably a fake profile (or profiles) created by the attackers to spread the malware. We assume, that using that account access details (e.g. IP address) the FBI was given a lead to the people behind the operation.”
Users, as well as organizations, can reduce the risk associated with data theft through infected computers, by simply not opening attachments or following links received from strangers, or out-of-character messages from friends. Anti-virus software and ongoing monitoring for unexplained credit charges and the like can also mitigate the infections and the aftermath.