The worm uses stolen Facebook account details to log in to users' accounts and spam their contacts, according to researchers at Danish security firm CSIS, which first identified the threat.
The messages contain a link, which, if clicked, appears to be downloading a screensaver of two attractive women, but actually attempts to drop a cocktail of malware onto the system, including Zeus, a prevalent trojan capable of stealing online banking credentials.
Numerous compromised domains are hosting the malware, according to CSIS.
Facebook is currently blocking “almost all” the domains serving the malware, spokesman Fred Wolens told SCMagazineUS.com in an email on Wednesday.
“We are constantly monitoring the situation, and are in the process of blocking domains as we discover them,” Wolens wrote. “We have internal systems in place configured specifically to monitor for variations of the spam, and are working with others across the industry to pursue both technical and legal avenues to fight the bug.”
Graham Cluley, senior technology consultant at anti-virus firm Sophos, said in a blog post Tuesday that users may be apt to click on the nefarious link, given that it seems to have been sent from a friend.
“The danger, of course, is that one of your Facebook friends may have had their account compromised (maybe they were sloppy with their password security, or gave access to a rogue application),” he wrote.
Meanwhile, the FBI in Denver last week issued a warning about a separate scheme involving a variant of Zeus, this one called “Gameover.” The malware spreads via messages purporting to have been sent from the National Automated Clearing House Association, advising users that a transaction they made did not go through.
A link included in the message attempts to infect users with the Gameover malware, which can log keystrokes, steal online banking credentials and defeat sophisticated two-factor authentication security mechanisms.
After an account is compromised, the perpetrators conduct a distracting distributed denial-of-service (DDoS) attack on the financial institution while they carry out the fraudulent transfers.
“The belief is the DDoS is used to deflect attention from the wire transfers, as well to make them unable to reverse the transactions (if found),” the FBI said in the release.
The crooks wire some of the phony transfers to accounts they have set up, and others to those belonging to high-end jewelry stores.
In the case of the latter, the perpetrators contact the stores to request to buy expensive jewels and watches, and say they will pay by wiring money into the company's account. The fraudsters then make the transfer and have money mules go to the store and pick up the jewelry. The transfers are then usually detected by the financial institution and reversed, leaving the jeweler out of whatever merchandise they gave up.