The ESET research comments on the recent example of a Carberp attack against Facebook users. “Carberp replaces any Facebook page the user navigates to with a fake page notifying the victim that his/her Facebook account is ‘temporarily locked,’” wrote Trusteer CTO Amit Klein describing the attack. “The page asks the user for their first name, last name, email, date of birth, password and a Ukash 20 euro [approximately $25 US] voucher number to ‘confirm verification’ of their identity and unlock the account.”
ESET notes that this isn’t a new or modified version of the malware, “but simply a special configuration file that contains the full html code for the fake Facebook page.” Before this, says ESET, “Carberp’s main activity is confined to the region of Russia and the former Soviet republics, and this activity centered on fraud targeting the major Russian banks and stealing money from RBS (Remote Banking Service) systems.”
But it isn’t difficult to change the target configuration by simply introducing new changes to the updated configuration file. Trusteer has separately noted a new Carberp attack aimed at French broadband users.
ESET’s research also notes the new addition of a DDoS plug-in “developed in Delphi 7 and based on the network components from the Synapse TCP/IP library”. It provides HTTP/HTTPS, GET/POST, and download flood attacks, and includes multiple types of user-agents and legitimate web resources to avoid DDoS prevention systems.
Is Carberp is being positioned for both wider geographical use and additional (DDoS) purposes? “We’ve been seeing reports of Carberp involvement in attacks on remote banking services in other parts of Europe for a while,” ESET senior research fellow David Harley told Infosecurity, “but couldn’t be sure to what extent this was a side-effect of activity in and around Russia. Obviously, such services aren’t exclusive to single banks. We have also seen Carberp activity specific to Western European countries but that tends to be in short spikes. Facebook extortion is quite a departure, and it’s a type of attack that seems to be more effective in Eastern Europe anyway (to date). However, it clearly indicates that the gang isn’t averse to trying out new approaches, and there’s plenty of potential in this mechanism for variations.”