The BullGuard products and services are part of NortonLifeLock Inc., a global leader in consumer Cyber Safety with a portofolio of brands including Norton, Avira and more. Learn more at

E-cash fraud via social media - The Carberp case – BullGuard


If you ever try to log in to your social media account and receive a notification that it’s “temporarily locked”, there’s a big chance you’re facing a scam. If – along with the scary notification – you get a request for payment in exchange for unblocking your account, then you’re most certainly a target in an e-cash fraud.


Such internet security scams are spread all over the web, but social media platforms with a huge number of users – like Facebook – are the most targeted. In one particular attack against Facebook, cybercriminals used the Carberp Trojan to make easy money. Formerly known as a banking Trojan, Carberp took centre stage and played its social role exceptionally well. Some Facebook users even “paid” for the performance in Ukash vouchers, unaware of the fact that they had been victims of an e-cash fraud.



From banker Trojan to social Trojan



Carberp was first discovered in 2010 in the Eastern European market, ravaging users’ banking sessions. It is particularly known for stealing users’ banking credentials in man-in-the-browser attacks, and affecting internet security systems of financial and banking institutions just like Zeus or SpyEye. But unlike other Trojans, Carberp is greedier and more focused. Its complex and sophisticated architecture makes it a more dangerous internet security threat. It can:


  • run itself automatically without needing an admin to access a computer and infect it
  • disable other Trojans so that they do not send information to rival cybercriminals
  • harvest data from an infected system
  • target login credentials to specific websites
  • be part of a botnet that offers botnet masters full control over infected computers


It can get onto your computer and in your browser via drive-by downloads, phishing schemes or exploits of out-dated software, and has rootkit features that make it hard to be detected.


In early 2012, with all the buzz surrounding social media, Carberp shifted focus from attacking banking sessions to Facebook login sessions. Cybercriminals compromised the internet security of Facebook users, leveraging on Carberp’s “qualities” and exploiting the trust they showed Facebook, as well as the anonymity of e-cash vouchers.




The precedent has been set



So how was the fraud designed?


After having their computer infected with Carberp, users were exposed to a man-in-the-browser attack – when they tried to log in to their Facebook account, they were redirected to a fake Facebook login page. This page notified them that their account was “temporarily locked”. In order to “unlock” the account, they had to enter their credentials – first name, last name, e-mail, date of birth, password – as well as the number of a Ukash voucher, worth of 20 euro (Ukash is an e-money network that enables you to anonymously exchange cash for vouchers, and then spend the vouchers online).


The page also claimed that the cash would be “added to the user’s main Facebook account balance”. In reality, the voucher number was transferred to the bot master who could use it as cash equivalent or sell it anywhere e-cash vouchers were accepted online. So not only did cyber-crooks get away with users’ personal data, further compromising their internet security, but they were also paid.


The Carberp social case is a testimony to how easily cybercriminals can alter existing malware to use it in new, more targeted attacks. And considering the increasing popularity of e-cash systems, the Carberp social case – as we call this internet security scam – sets a solid precedent for e-cash fraud via social media.



Protect your internet security. Avoid e-cash fraud, social scams and Carberp infections. Here are some tips:


  • Always be suspicious of unconventional requests presumably coming from Facebook or other trusted websites. Check with their Support team if the requests are valid – access their Support service through the official company website, and not through links in suspicious messages. Also, keep in mind that no trustworthy website will ever lock you out and ask for money to let you access your account.


  • Make sure all the applications (including your browser) on your computer are up-to-date. The Vulnerability Scanner in BullGuard Internet Security 12 spots out-dated software and recommends you updates and patches to install.


  • If you use an e-cash voucher (e.g. Ukash voucher), only give the voucher code to merchants approved by the e-money network that issues the voucher – you can see the lists of approved merchants on the networks’ websites. Also, never e-mail your voucher code or give it over phone to anyone.


  • Use an effective internet security tool that comes with Antirootkit protection, in addition to Behavioural Detection, Firewall and Safe Browsing. BullGuard’s proficient internet security suite comes with all these features and keeps you safe from man-in-the-middle attacks. Furthermore, BullGuard’s Support team can provide you with answers to any internet security questions you may have.

Was this article helpful?