Facebook, Gmail, Yahoo and Hotmail users should beware of rogue
rebate offers and new secure payment options aimed at getting them to
part with their debit card information.
Earlier this week Amit
Klein, CTO of Trusteer, announced the discovery of a peer-to-peer
variant of the Zeus platform that leverages trusted relationships and
well-known brands to convince users to sign up for convenient services
and better secure debit card transactions. On each site, the attack
displays a little differently.
"In the first attack against
Facebook, the malware uses a web inject to present the victim with a
fraudulent 20% cash back offer by linking their Visa or MasterCard debit
card to their Facebook account," Klein wrote in a blog post.
"The scam claims that after registering their card information, the
victim will earn cash back when they purchase Facebook points. The fake
web form prompts the victim to enter their debit card number, expiration
date, security code and PIN"
The fraudulent message even includes a footnote
explaining the debit card PIN is for verification purposes only and
should never be disclosed to anyone, including family and friends.
In
attacks against Gmail, Hotmail and Yahoo users, the malware offers a
new authentication service from Verified by Visa and MasterCard
SecureCode supposedly used by 3,000 online stores since January 1, 2012.
Many
merchants require a 3D Secure password to complete an online
transaction; Klein notes this attack doesn't compromise 3D Secure but
instead uses the Visa and MasterCard brands to add credibility.
The
scam that targets Google Mail and Yahoo users claims that by linking
their debit card to their web mail accounts all future 3D Secure
authentication will be performed through Google Checkout and Yahoo
Checkout respectively. It also maintains Hotmail users lacking the 3D
Secure code won't be able to use Hotmail to make online purchases. The
fraudulent site also claims participation in the program protects
against future fraud.
Trusteer officials believe this may be the
first time a web injection attack has targeted 3D Secure. A company
spokesman on Wednesday said it's not sure how many victims may have
fallen for the scam but the numbers could be considerable given the
clever social engineering and popularity of the targeted service
providers.
Courtesy by Anne Saita