Update: Over the past couple of days, we have noticed another round of the Facebook blended threat email spam campaign that made headlines late last year. We have been successfully blocking these messages since the first campaign came out in October 2009, and it now appears that a new botnet expansion phase may be in the works. The fake Facebook emails are looking to steal personal information and then infect computers with malware.
In October 28, 2009, we warned Facebook users about a new blended threat email campaign targeting Facebook users. On October 27, 2009, Red Condor’s security researchers uncovered a separate Facebook spoof email with downloadable files that included the Trojan virus Bredolab. This email threat was masked as “Facebook Password Reset Confirmation.”
The campaign was a blended threat that included both a phishing scam and a notorious “banking Trojan” virus. A link within the spam email took users to a spoofed Facebook login page requesting the user’s Facebook account information. After entering their credentials, users were then prompted to download “updatetool.exe” which was identified as a Zbot Trojan variant.
The spoofed Facebook login page was fairly sophisticated and used www.facebook.com in the sub-domain portion of the malicious URL. As a result, people with small screen resolution or small browser windows/address bars size might have thought they were actually on Facebook’s login page. The Trojan associated with the threat installed a sophisticated “banking Trojan” that is known to scour the infected hard-drive for personal banking information and various login credentials, as well as perform key logging and other nefarious activities.
The virus scam was detected by Red Condor’s proprietary Spam Trigger technology.