At least 40,000 Facebook accounts have been compromised via a new form of malware distributed via a painting application.

Called “StressPaint,” the application, pitched as offering to relieve stress by painting, is being spread through phishing emails and on Facebook itself, according to security firm Radware Ltd., which first identified the campaign. Recipients are led to believe they are going to legitimate sites such as AOL to download a legitimate application.

But once installed, StressPaint steals Facebook credentials and other data by sending the content of Chrome browser cookies and login date files to a command-and-control server. Going far beyond the Cambridge Analytica data scraping that has outraged so many people, the malware also takes other data from the compromised account, including the number of friends, whether the account manages a page or not and whether a payment method is connected to the account.

Complicating matters, Radware noted, attackers could go after Amazon.com Inc. users in a future campaign because the control panel for the malware, based on a Chinese content management system called Layuicms2.0, features a section for Amazon that is not yet functional. “Radware believes that this implies that the group’s next target will be Amazon,” the post notes.

Discussing the Facebook-targeted malware, Zack Allen, director of threat operations at ZeroFOX Inc., told SiliconANGLE that as the importance of social media for public discourse and information gathering continues to skyrocket, so too will the attack surface of organizations and individuals.

“This malware infection is a perfect demonstration of the viral nature of social media, the accessibility to targets that these networks present and the inherent trust that humans have with one another,” Allen explained. “Social media users need to be cognizant of any communication that looks suspicious. Unlike email, they aren’t just managing an inbox. They are handling comments, posts, likes, direct messages and apps – all of which present a distinct set of vectors for attack.”

That said, Allen did note that “we cannot place all the blame on end users for the feature-rich experience that social media provides and the myriad vectors of attacks that hackers can use against them.” The security industry, he said, “should prepare for these vectors as much as possible to help the everyday user, as well as their corporate environments.”

Image: mkhmarketing/Flickr