- Men’s Humor trolled for unknowingly tweeting Grindr conversation 1 Year Ago
- How to stream Dominick Reyes vs. Chris Weidman Today 5:00 PM
- Jennifer Aniston had a finsta before officially joining Instagram Today 4:35 PM
- Facebook denies moderating comments under Zuckerberg’s big free speech live stream Today 2:38 PM
- ‘My headphones’ meme proves our music is sadder than we look Today 1:53 PM
- ‘Time for an upgrade’ meme shows Kamala Harris’ team is too online Today 1:35 PM
- Prison guards reportedly mocked trans inmates in private Facebook groups Today 1:33 PM
- Gradient is the new celebrity look-alike app winning over influencers Today 12:46 PM
- Trolls accuse cosplayer of ‘appropriating’ Joker culture Today 12:28 PM
- Every Studio Ghibli movie will stream exclusively on HBO Max Today 12:24 PM
- ‘Stranger Things’ season 3 saw its highest viewer numbers yet Today 12:01 PM
- ‘We vape, we vote’ movement insists it’s real in wake of bot reports Today 12:01 PM
- Netflix will finally start cracking down on password sharing Today 11:48 AM
- PSAT memes are back! This year on TikTok and amid College Board crackdown Today 11:20 AM
- Scotland grants pardons to men, trans women convicted under homophobic laws Today 10:45 AM
Last week, security researchers at Radware detected the malicious activity of a group that was sending out phishing emails to Facebook users around the world. Attached to the messages was a link to download a seemingly innocuous painting application designed to relieve stress. But the “Relieve Stress Paint” app did the opposite of what it promised, infecting users with an appropriately named malware called Stresspaint.
To throw users off its tracks, the bad actors disguised “Relieve Stress Pain” as aol.net on search engines and in emails using Unicode characters. Its true address is a much scarier “xn--80a2a18a.net.” You can see below how a search query for getting rid of stress pulls up the malware in a fake AOL domain.
Once an unknowing user presses on it, a window pops up that looks similar to Microsoft Paint. The program will act like a legitimate paint program, allowing users to switch colors and line size. While they’re tinkering, the malware infects the computer, downloads Chrome cookies and Facebook passwords, and immediately deletes itself after about a minute. The cookies are transferred and queried at a new location where additional data, like the number of friends an account has, whether an account manages a page, and payment data is gathered from predefined Facebook URLs. Stresspaint copies the files each time the program is opened or when an infected user restarts their computer.
Nissim Pariente, director of security analytics and research and development at Radware, told the Daily Dot that he can only guess what the bad actors may have stolen from accounts, but it’s likely that payment information, personal messages, and sensitive images were compromised.
It’s also unclear what the information is being used for. Radware suspects the criminals will either sell the data, use it as ransomware/espionage, or engage in identity theft by reusing the credentials. However, since the malware is only focusing on Facebook members with a large following, Radware fears it will use accounts to spread propaganda or create malvertising campaigns.
After gaining access to its control panel, Radware determined some 40,000 Facebook users in two dozen countries had been infected in a matter of days. The security firm says the malware was developed professionally given its rapid distribution and suspects an attack on Amazon is imminent based on its findings. As you can see in the charts below, several thousand users were infected every day this week. Most of the attacks occurred in Vietnam and Russia, with around 500 affecting U.S. users. It’s unclear where the attacks originated, although text in the control panel suggests it may have come from China.
As always, the best advice to protect yourself from the attack is to update your password and avoid downloading apps from unknown sources. You can also go to the security and login settings of your account to see where devices are logged in from. If you come across something suspicious, change your password and set up two-factor authentication with your phone number.
Radware made Facebook aware of the malicious activity. The beleaguered social giant provided the following statement:
“We are investigating these malware findings and we are taking steps to help protect and notify those who are impacted. We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners. We share tips on how to stay secure and links to these scanners on facebook.com/help.”
Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.