A new variant of Facebook Token Hijacker malware is now in wild with some new functionalities. The recent variant benefits from obfuscation techniques to hide its code from Anti-Malware software.
In this attack, the user receives a Facebook post to claim an special offer of free UGGs boots; the user is asked to post her access token after logging into an application (ID: 350685531728) using Facebooks' oAuth.
After successful login, the malware hijacks the user token and posts on her behalf on her wall. There is a difference between a phishing attack and this new type of attack. In the latter the automatic exploitation takes place right at the moment that the user share her access token. Thus, the infection procedure will start on the actual victim side. However in the former, the attacker harvest information for future access where most of the time is challenged by Facebook's Identity and Access Management Controls (IAMC). The malware also tries to create an event and invites all of the victim's friends to the event. This malware is totally capable of hijacking the victim's credentials. The malware currently resides on the following host: http://fbunlimited.info/instagram/ In contrast to the previous variant, this time the domain is not signed for secure http connection (https).