Once again Facebook is on The Hacker News! This time not for any scam or surveillance, but for a different reason.
The social networking giant has managed to take down a Greek botnet that used Facebook to spread malware and infected 250,000 computers to mine crypto-currencies, steal bitcoins, email passwords and banking details.
Facebook is always one of the favourite weapon of cyber criminals, cyber thieves and scammers due to its popularity among other social media platforms. This social networking platform, with more than one billion active users, provides special opportunities for people to connect and share information, as well as also serves a great platform for malware developers and scammers.
The botnet, dubbed as Lecpetex, was around from December 2013 to last month and compromised around 50,000 Facebook accounts at its peak, under which users would receive spam Facebook messages that would typically like "lol" with a zip archive attachment.
Once the attachment is opened, it would execute an embedded Java archive file that would download Lecpetex main module and install a program to begin Litecoin mining secretly on the infected computer, and at the same time, other malware sent out from the botnet would steal bitcoins, email passwords and internet banking details.
Moreover, the module would download and run the Facebook spamming module that would hijack user's account by stealing cookies from their browser in an effort to gain access to the victim's Facebook friend list so that it could further send out more spam messages to each friend with a zip file containing malware.
The Lecpetex botnet infect computers with family of different malware, including the DarkComet remote access trojan, through simple social engineering techniques, and the operators behind it were constantly modifying it in order to evade detection, both by Facebook's attachment scanning software as well as anti-virus software.
Security researchers at Menlo Park said the 31 and 27 year-old botnet creators delivered over 20 distinct spam campaigns, affecting users in Greece, Poland, Norway, India, Portugal, and the US. Not even the malware targeted Facebook alone, the malware was also delivered through torrent files containing pirated content like movies, games and MP3s to trick unwitting downloaders, but this was not observed by Facebook bods.
"On April 30, 2014, we escalated the Lecpetex case to the Cybercrime Subdivision of the Greek Police, and the agency immediately showed strong interest in the case," Facebook engineers wrote in an unauthored post.
After five months of examination, irritated botnet creators began leaving messages for Facebook engineers from their command and control servers saying that:
"Hello people.. :) but am not the f***ing zeus bot/skynet bot or whatever piece of sh*t.. no fraud here.. only a bit of mining. Stop breaking my ballz.."
They also changed their crypto keys to the phrase 'IdontLikeLecpetexName'.
But Facebook didn't stop its investigation and continued to target botnet with new countermeasures and automated tools in order to extract more information from the botnet to trace its creators, and finally the Greek Police arrested two hackers last week, a 31-year-old and a 27-year-old who were both informatics students.
"According to the Greek Police, the authors were in the process of establishing a Bitcoin 'mixing' service to help launder stolen Bitcoins at the time of their arrest," said Facebook. "Ultimately, remediating a threat like Lecpetex requires a combination of technical analysis capabilities, industry collaboration, agility in deploying new countermeasures, and law enforcement cooperation."
The Greek Reporter says that the Lecpetex operation is the biggest case ever handled by Greece's Cyber Crime Unit.