Websense® Security Labs™ Threatseeker® network has detected a new malicious email campaign that masquerades as originating from Facebook. The campaign appears to actually be originating from the Cutwail/Pushdo spam bot. This time round, the Cyber criminals employ two attack vectors: social engineering and an exploit kit. Both end up with the Zeus/Zbot Trojan installed on the targeted machines.
Websense customers are protected from this attack with our Advanced Classification Engine analytics, our suite of technologies within TRITON.
Here is an example of a malicious email in Spanish:
The malicious email is spoofed to appear to be coming from Facebook.com and says: "Hi, someone loves your photo comments, please click on the link to see all comments". It provides a fake URL disguised as a formal Facebook link. Once clicked, the user is redirected to an attack page and is prompted to download and run an "update" from Facebook. The "update" file is a Zeus/Zbot Trojan variant. At the time of writing, the file had only a 7% detection.
The attack isn't over yet. While the fake Facebook page loads, the user's machine is attacked silently with several exploits in the background. The exploits are sent via an iframe contained in the fake Facebook attack page. This process happens silently when the attack page is loaded. The exploits are loaded from one of the most prevalent exploit kits today – the Blackhole exploit kit. Any successful exploitation results in the Zeus/Zbot Trojan installed silently on the user's machine.
Here is an example iframe from the Facebook attack page that points to Blackhole exploit kit:
Related Posts
- Facebook notification emails spreads malware
People have started getting the following email claiming that “Facebook Copyrights Department” has detected unusual Copyrights activity linked to your Facebook account , please follow the link bellow ... - Malicious Spam on the increase again
Malware distribution via email is far from dead. While we had a distinctly quiet period from October 2010 to March 2011, our stats show the bot herders are gearing up again with the proportion o... - Fake AV served up by phony NACHA emails
A little while ago, phishing mails claiming to be from NACHA were in circulation - it seems the phishers have had enough of that, deciding to send out malicious files instead.
The mail claims an att... - Canadian Pharmacy pops up in emails from Facebook with subject “Welcome to Facebook Goods”
MX Lab, http://www.mxlab.eu, started to intercept a new spam campaign, since yesterday, by email with the subject “Welcome to Facebook Goods”. These messages are sent from the spoofed emai... - Fake income tax refund emails making rounds.
We have observed that cyber criminals are sending fake emails about tax refund. This is a latest cyber crime activity where they are trying to trap innocent users aimed at extracting bank details in t... - This is how hacker steal your Facebook password
There's many attackers out there who want to steal your credential information. And no doubt, Facebook as one of the largest Social Networking sites in the world, always been a target of attack from t... - I accepted a fake Facebook friend request, should I be afraid?
Should you be afraid if an imposter duplicates a friend's Facebook account and connects with you on the social network?
@michaelgrayer
Michael Grayer
/@gcluley A facebook friend had her account d... - Fake Facebook email
I received the email in the screenshot below just a short while ago.
It’s easy to tell it’s fake – just check out the URL behind the “3 messages” hyperlink.
... - Bredolab Malware spammed via fake Facebook Mails
The popularity of the social network Facebook is abused again to spread Malware via Email. The spam mails arrive with the subject “Facebook password has been changed. ID” and contain a ZI... - Warning About Spam Fake, Not from Facebook
Facebook is undoubtedly the highest-profile social networking site around with more than 500 million active users, half of whom log in on any given day. It shouldn’t be a surprise therefore that its ...
Posted on 19 March 2011. Tags: Black, emails, Exploit, Facebook, Fake, Hole, Notification, Zbot
The above information is reprinted from and copyrighted © by Websense.
