Tens of thousands of Facebook accounts have been compromised this month by malicious software masqueraded as an “inspirational” painting program that surreptitiously slurps user credentials, a cybersecurity firm said Wednesday.
Dubbed “Stresspaint,” the malware has infected more than 40,000 computers in recent days and subsequently siphoned tens of thousands of Facebook user credentials to the malicious actor responsible, according to Adi Raff, a security research team leader at Radware, the Israeli cybersecurity company that published his findings in a blog post Wednesday.
“We are investigating these malware findings and we are taking steps to help protect and notify those who are impacted,” Facebook said in a statement.
Stresspaint’s perpetrators have successfully duped victims into downloading and running “Relieve Stress Paint,” a seemingly benign painting program that also steals users’ Facebook credentials by searching their computers for internet “cookies,” or text files containing saved browser data, and then sending those records back to a command-and-control server recently accessed by Radware’s researchers, Mr. Raff said in the blog post.
The malware has been distributed through phishing emails directing recipients to an install a painting application touted on a website spoofed to resemble a legitimate domain operated by AOL, according to the researcher.
“It’s free,” reads a message on the website. “Relieve fatigue, long-term work pressure! Improve your work needs for your brain, it’s the most important! Inspirational ideas. Music production, graphics production, documentation! When these lose their inspiration, open it and move around, change will increase a lot of fun and creative inspiration! Simple to use.”
The website linking to the malware appears in emails and messages as AOL[.]net, but only because its operators used Unicode characters to spoof its actual address: “xn—80a2a18a[.]net.”
Once downloaded and operated, the painting program begins searching users’ computers for cookie containing Facebook credentials, showing a specific interest in victims who run Facebook pages that contain stored payment information, Mr. Raff said.
“This rapid distribution and high infection rate indicates this malware was developed professionally,” Mr. Raff said. “We suspect that the group’s next target is Amazon as they have a dedicated section for it in the attack control panel.”
Victims infected by the ransomware risk having their personal information exploited for reasons ranging from monetization and ransom, to espionage and identify theft, according to his blog post.
Cyberattacks that rely on spoofing domain names using Unicode characters are colloquially known as internationalized domain name (IDN) homograph attacks, or “Punycode” attacks. RiskIQ, a San Francisco-based security firm, warned earlier this year that a surge in domains being registered using encoded characters “should be a concerning gap in visibility for any security or digital risk management program.”
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.