How often do you log in to Facebook? Ten times a day? Fifty? All it takes is once for a new piece of financial fraud malware to catch you off guard and make off with your money.
A reworked version of the cyberattack tool called Ice IX is the culprit; in its new configuration, the Web injection component of Ice IX hits unsuspecting Facebook users with a pop-up window immediately after they log in, Amit Klein from the security company Trusteer explained in a blog. The Web inject that triggers the scam is being sold in underground cybercrime forums.
The rigged window, which looks exactly like a real Facebook page, tells users they need to "verify" their identity by entering their credit card number, expiration date, card identification number, name and address.
The message in the fake Facebook page says the "verification" is needed "in order to provide you with extra security." Of course, as soon as you hand over your financial data, it's out of your control and now you're in serious trouble.
Equally crooked scams, with the "verify your identity" hook and a desire for your banking credentials, have also been spotted hiding under the assumed legitimacy of emails from eBay and US Airways.
The website Hoax-Slayer reported finding an email claiming to be from eBay that, just like the Facebook Ice IX scam, tells recipients they are signed in "from a computer we're not familiar with," and that in order "to make sure no one is trying to access your account with permission," they need to confirm their identity.
Different approach, similar results: The link included with the message takes users to a rigged eBay login page that asks them to type in their email address, name and password.
In a post on a Kaspersky Lab blog, Dmitry Tarakanov detailed another phishing email, this one purporting to come from US Airways. For more than a week now, Tarakanov said this scam has been spreading, telling victims they can check-in to their flight. If they follow the instructions to do so, victims are taken through a series of steps that, ultimately, results in their computers being compromised with the Zeus Trojan, a dangerous banking-account-siphoning cyberweapon.
With so many types of scams out for your identity and cash, it's best to be extremely cautious with any type of pop-up window or unsolicited email that asks you to divulge any personal information. Basic common sense — would you tell a stranger on the street your Facebook password or your credit card number? — should hold true when you're online. To bolster your security, download strong anti-virus software and keep it up to date.