As Facebook and Google work to become trusted names in payments, fraudsters are quick to exploit that trust.
A new malware strain is emerging as a ruse to trick consumers into divulging bank account and card data by suggesting they transfer Facebook Credits to bank accounts and other financial systems, Andreas Baumhof, chief technology officer for ThreatMetrix, said in an interview.
Some scammers instead impersonate Google, asking Gmail users to link a payment card to make purchases online.
The scam intercepts credit and debit card information by replicating the typical log-in page for each service, Baumhof says. Consumers around the world are falling for it because they encounter the bogus login pages when they are deep within ecommerce or other trusted sites, he says.
The malware is related to Zeus, a malicious program famous for its effectiveness at stealing financial data.
Both Facebook and Google are working to build their payments businesses. Facebook recently began shifting to a system that uses real currencies for online purchases instead of its invented Facebook Credits, and Google is promoting its Wallet system both online and at the point of sale.
"As digital currency becomes more commonplace, consumers are at risk for getting tricked into turning social media credits into cash for fraudsters to siphon," Baumhof says.
Representatives from Facebook and Google did not reply to requests for comment by deadline.
Unlike another common scam that asks for consumers' log-in details at the outset of opening a Web page, this new scam poses as a legitimate log-in page when a consumer has already logged in at a retailer site or a Google Gmail account, Baumhof says.
"The fake log-in page looks normal and consumers' guard is down because they are well along into a routine operation," he says.
ThreatMetrix tracked the scam after several incidents came to the San Jose security firm's attention, Baumhof says.
The fraudsters appeal to consumers by making false promises to provide rewards for linking their bank accounts to a Facebook or Google account. One promises 20% cash back for providing credit card details purportedly to buy Facebook Credits.
Another urges consumers to "link your debit card right now with your Google Mail account to pay simply and securely at more than 3,000 stores online."
Banks have been the more common targets of similar Zeus malware scams in the past, but the phenomenon is fairly new for retailers, Baumhof says.
To protect websites from such attacks, operators can use a variety of tools that work invisibly in the background to detect activity that deviates from a consumer's regular behavior, he says.
"Most of these malware scams trigger systems that detect a variety of anomalies relatively easily," Baumhof says.
Zeus malware attacks until recently have focused primarily on the bank accounts of small-business targets, but they appear now to be shifting to attack consumers, Julie Conroy McNelley, a senior analyst with Aite Group, says.
"With consumers, [fraudsters] don't get quite the same opportunity from an average dollar value perspective, but they do get the opportunity to scale, as there are such a vast number of Facebook and Gmail users that could be targeted," she says.
The rise of these new types of attacks will likely cause the most headaches for merchants, because in most cases consumers will not be liable for losses, she says.
Ecommerce site operators can battle such fraud with malware detection technology, but in many cases the attacks are the result of malware that has already been downloaded on consumers' devices, she says.
"Therefore, by the time the consumer goes to log in to their Facebook page, the damage has already been done," McNelley says.
Consumer education must become a key weapon against such attacks, McNelley says, along with ecommerce site operators beefing up systems to spot malware attacks as they occur.
"There is little in the way of disincentive for the organized criminal elements behind these attacks, so the sophistication and frequency will only increase," she says.