Folks who download a software advertised as a tool for stress relief might soon find themselves peeved because the program is actually a front for malware which steals their Facebook credentials and other payment information.
‘StressPaint’ first appeared only a few days ago. At the time of this writing it has infected over 45,000 Facebook members. The attacks seem to specifically target users who operate Facebook pages and also have configured a payment method into the account/page.
Uncovered by Radware, this malware has spread around the globe with a high infection rate indicating what researchers report “indicates the malware was developed professionally”.
An infection is carried out by phishing emails and users are then socially engineered to believe they’re visiting a genuine website. But the website they are being driven to is in fact a front for the nefarious activity.
This site promotes software named ‘Relieve Stress Paint’ and suggests the user to download it (for free). If they do download and then run the file a window then opens to show a basic painting program to the user to give the impression that nothing is happening while the malware runs.
Nevertheless once ‘Relieve Stress Paint’ is launched up this malware automatically runs and drops files onto the system and it will look to be stealing info from that moment on – then more subsequently each single time the computer is restarted up.
StressPaint steals info by copying content of the Chrome browser cookies and the login date files. If saved Facebook credentials are discovered they are sent to a C2 server.
Once the ill-gotten credentials are validated then additional info is collected on the compromised account, including the number of friends or whether the account manages a page or not or even if a payment method is connected to the account compromised.
At the time the attacks only appear to be collecting data however researchers suggest the stolen info could be used to make a profit in a variety of ways. They include – for example – selling the credentials on underground forums, extorting the victims by threatening to reveal personal info, political espionage, and profit from stolen payment info and identity theft.
It is suggested the fact the attackers are looking for accounts with pages and users with big amounts of “friends” means those behind the campaign – who have yet not been identified – are playing a longer game.
In order to avoid falling victim to the StressPaint attack Radware suggests users to be careful as to what they are going to click.