Facebook ‘Ramnit’ Worm Virus Attacked 45,000 Accounts

The social networking site has tried to stop the spread of a new variety of malicious software that has cracked login details from 45,000 mostly British and French users.

In November 2011, a similar worm was noticed, which suggested users to click on a photo of two blonde ladies. If clicked, the malware would burrow into the user's computer and attempt to steal banking information. Photo: Franco Bouly/Flickr

As the Telegraph reveals, the virus, called Ramnit worm started attacking the system in April 2010, but was only recently adapted to target Facebook details, according to computer security experts.

It is supposed to be previously used by cyber criminals to steal login credentials for other services such as online banking.

The Ramnit worm differs from a usual computer virus as it can reproduce itself without needing to attach itself to an existing program. This ability allows worms to spread very rapidly online.

This week Seculert, an Israeli computer security firm has highlighted the new threat to Facebook users. According to the firm, most of the users affected so far are British or French.

Seculert also discovered that a total of 800,000 machines were invaded by the worm between September-December 2011.

“Our research lab identified a completely new ‘financial’ Ramnit variant aimed at stealing Facebook login credentials,” the firm said in a statement.

“It was fairly straightforward to detect that over 45,000 Facebook login credentials have been stolen worldwide, mostly from users in the United Kingdom and France.”

Seculer has found out that the new Ramnit variant is using it the stolen login details to access victims’ Facebook accounts and send malicious links to their friends.

“We suspect that the attackers behind Ramnit are using the stolen credentials to log-in to victims’ Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware’s spread even further,” the firm reported.

The personal data stolen from cracked Facebook accounts can be potentially valuable to cyber criminals and is sometimes traded on online black markets.

Facebook representatives said that the site had learned of the new attack on its users last week and has already taken action to prevent them from further spreading.

It was reported that Facebook security had studied the 45,000 stolen login details and came to the conclusion that most of it was out of date. However all affected users will be forced to reset their password to improve security.

“Last week we received from external security researchers a set of user credentials that had been harvested by a piece of malware,” a spokesman said.

“Our security experts have reviewed the data, and while the majority of the information was out-of-date, we have initiated remedial steps for all affected users to ensure the security of their accounts.“

“Thus far, we have not seen the virus propagating on Facebook itself, but have begun working with our external partners to add protections to our anti-virus systems to help users secure their devices.”

Facebook also added that mostly “invalid” accounts have suffered, says Read Write Web.

“Invalid can mean one of several things,” a Facebook rep told reporters. “This includes an e-mail address not associated with a Facebook account, invalid password, or the password was old/expired.”

The site representative urged users not to click on suspicious links and to report any suspicious activity.

Share this article

We welcome comments that advance the story directly or with relevant tangential information. We try to block comments that use offensive language, all capital letters or appear to be spam, and we review comments frequently to ensure they meet our standards. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Coinspeaker Ltd.