Last week, security researchers at Radware detected the malicious activity of a group that was sending out phishing emails to Facebook users around the world. Attached to the messages was a link to download a seemingly innocuous painting application designed to relieve stress. But the “Relieve Stress Paint” app did the opposite of what it promised, infecting users with an appropriately named malware called Stresspaint.
To throw users off its tracks, the bad actors disguised “Relieve Stress Pain” as aol.net on search engines and in emails using Unicode characters. Its true address is a much scarier “xn--80a2a18a.net.” You can see below how a search query for getting rid of stress pulls up the malware in a fake AOL domain.
Once an unknowing user presses on it, a window pops up that looks similar to Microsoft Paint. The program will act like a legitimate paint program, allowing users to switch colors and line size. While they’re tinkering, the malware infects the computer, downloads Chrome cookies and Facebook passwords, and immediately deletes itself after about a minute. The cookies are transferred and queried at a new location where additional data, like the number of friends an account has, whether an account manages a page, and payment data is gathered from predefined Facebook URLs. Stresspaint copies the files each time the program is opened or when an infected user restarts their computer.
Nissim Pariente, director of security analytics and research and development at Radware, told the Daily Dot that he can only guess what the bad actors may have stolen from accounts, but it’s likely that payment information, personal messages, and sensitive images were compromised.
It’s also unclear what the information is being used for. Radware suspects the criminals will either sell the data, use it as ransomware/espionage, or engage in identity theft by reusing the credentials. However, since the malware is only focusing on Facebook members with a large following, Radware fears it will use accounts to spread propaganda or create malvertising campaigns.
After gaining access to its control panel, Radware determined some 40,000 Facebook users in two dozen countries had been infected in a matter of days. The security firm says the malware was developed professionally given its rapid distribution and suspects an attack on Amazon is imminent based on its findings. As you can see in the charts below, several thousand users were infected every day this week. Most of the attacks occurred in Vietnam and Russia, with around 500 affecting U.S. users. It’s unclear where the attacks originated, although text in the control panel suggests it may have come from China.
As always, the best advice to protect yourself from the attack is to update your password and avoid downloading apps from unknown sources. You can also go to the security and login settings of your account to see where devices are logged in from. If you come across something suspicious, change your password and set up two-factor authentication with your phone number.
Radware made Facebook aware of the malicious activity. The beleaguered social giant provided the following statement:
“We are investigating these malware findings and we are taking steps to help protect and notify those who are impacted. We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners. We share tips on how to stay secure and links to these scanners on facebook.com/help.”