Despite having downloaded an application intended to help them relax through painting, unsuspecting Facebook users have been exploited by a malicious application that instead collects sensitive information.
According to a 30 May post on Cylance's Threat Vector written by Kim Crawley, "‘Relieve Stress Paint’ isn’t an app that’s embedded in Facebook though. Rather, cyberattack targets received links to download the malicious application through Facebook messages or email. The cyber attackers exploited the perceived legitimacy and integrity of Facebook and AOL’s brands to transmit their Trojan."
While the targeted victims do indeed receive an application that can be used for painting, lurking in the background is a malicious payload that is grabbing sensitive Facebook session cookies, login credentials and similar data.
Cylance found that the attackers' preferred targets are Facebook users who have their own Pages with lots of followers and payment data that is linked to their accounts.
"While ‘Relieve Stress Paint’ is installed on a Windows machine, ‘DX.exe’ remains persistent on the system, and ‘uplink.dll’ is likely the malicious dynamic link library which grabs the target’s sensitive Facebook data," Crawley wrote.
Researchers have found that at least 35,000 users around the globe – including Vietnam, Russia, Pakistan, Indonesia, Ukraine, Italy, Romania, Kazakhstan, Egypt, Estonia and France – have been affected. Almost 3,000 victims in Vietnam alone have fallen victim to this targeted campaign dubbed the Relieve Stress Paint Trojan.
Facebook users are cautioned to beware of applications that come through unsolicited messages on Facebook. "Even developers of legitimate commercial software who are in the business of making money won’t send people unsolicited Facebook messages in order to market their product," Crawley wrote.