Last week, security researchers at Radware detected the malicious activity of a group that was sending out phishing emails to Facebook users around the world. Attached to the messages was a link to download a seemingly innocuous painting application designed to relieve stress. But the “Relieve Stress Paint” app did the opposite of what it promised, infecting users with an appropriately named malware called Stresspaint.
To throw users off its tracks, the bad actors disguised “Relieve Stress Pain” as aol.net on search engines and in emails using Unicode characters. Its true address is a much scarier “xn--80a2a18a.net.” You can see below how a search query for getting rid of stress pulls up the malware in a fake AOL domain.
Nissim Pariente, director of security analytics and research and development at Radware, told the Daily Dot that he can only guess what the bad actors may have stolen from accounts, but it’s likely that payment information, personal messages, and sensitive images were compromised.
It’s also unclear what the information is being used for. Radware suspects the criminals will either sell the data, use it as ransomware/espionage, or engage in identity theft by reusing the credentials. However, since the malware is only focusing on Facebook members with a large following, Radware fears it will use accounts to spread propaganda or create malvertising campaigns.
After gaining access to its control panel, Radware determined some 40,000 Facebook users in two dozen countries had been infected in a matter of days. The security firm says the malware was developed professionally given its rapid distribution and suspects an attack on Amazon is imminent based on its findings. As you can see in the charts below, several thousand users were infected every day this week. Most of the attacks occurred in Vietnam and Russia, with around 500 affecting U.S. users. It’s unclear where the attacks originated, although text in the control panel suggests it may have come from China.
Radware made Facebook aware of the malicious activity. The beleaguered social giant provided the following statement:
“We are investigating these malware findings and we are taking steps to help protect and notify those who are impacted. We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners. We share tips on how to stay secure and links to these scanners on facebook.com/help.”