Second Facebook spam email campaign detected this week
A new email threat has been identified that poses as being from Facebook.
Security firm Red Condor identified the second email threat in as many days that claims to be from Facebook administrators. This includes a link to a spoofed Facebook login page, which prompts users to reveal personal information and then download a banking Trojan Downloader.
After a user enters their credentials, they are prompted to download ‘updatetool.exe' which has been detected as a Zbot Trojan variant. The company claimed that the spoofed Facebook login page is fairly sophisticated and uses ‘www.facebook.com' in the sub-domain portion of the malicious URL.
As a result, people with small screen resolution or small browser windows/address bars may think that they are on the Facebook login page. At the time Red Condor Spam Trigger detected the threat, only one-third of anti-virus engines had detected it.
Dr. Tom Steding, chief executive officer of Red Condor, said: “Given the comfort level that millions of users have with Facebook, we want to make sure that everyone knows that there are multiple spoofed Facebook emails hitting inboxes, and that the blended threat email we are warning about is different than the one many media outlets have already reported.
Facebook has become phenomenally popular, which makes it a prime target for spammers and cybercriminals. Unprotected email users need to be increasingly aware of the variety of threats that will come to their inboxes posing as legitimate messages. This blended email threat is an interesting twist that seems to have baffled a number of AV engines.”
Jamie Tomasello, Cloudmark's abuse operations manager, said: “The last three days have seen a sharp uptick in social engineering, as one or more of the malware distributors are, once again, playing on the popularity of Facebook to convince people to open their email.
“Emails with the subject ‘Facebook Password Reset Confirmation' have been flooding inboxes over the last few days, enticing people to open a zip file which purportedly contains the user's new password.
“I cannot stress enough – these emails are not coming from Facebook, and they do not mean that your Facebook account has been taken over, or that someone is trying to get your password. Facebook, unfortunately, is just another victim here; they can't stop bad guys from using their name to dangle as bait in front of you.”