Share
Facebook users are being targeted for the second time this week thanks to a new Phishing campaign kicked off yesterday. This new attack uses a two layer approach, the first goal is to rob a user of their Facebook username and password and then get them to install a variant of the ZBot Trojan.
Second Facebook attack discovered sending 500 emails per second.
Earlier this week, we brought you the story of an email making rounds online that contained a malicious attachment. The attachment, a Trojan that belongs to the Bredolab family of Malware, was sent along with a warning that a person’s Facebook password was reset.
If the user wanted to access their account, they would need to open the attachment to retrieve their new password. It is still unknown how many people fell for this scam, but at one point MessageLabs said that they were seeing over 90,000 emails moving about.
Now, a second Facebook-based attack is on the move. This one uses both Phishing and Malware. According to AppRiver, the Phishing emails were being sent at a rate of 1000 emails per minute for every domain used in the attack on Wednesday.
At the time of their research, AppRiver discovered 30 domains, which translates to 30,000 emails per minute, or roughly 500 per second. At the time of their warning yesterday, AppRiver said they had seen almost 1.7 million of these messages.
“As we've come to expect from Zbot, the phishing email is well crafted and could easily trick the unsuspecting recipient into falling for its ruse. The graphics are well done and all look like something you would see from Facebook,” AppRiver’s Fred Touchette wrote.
“The email informs users that Facebook is updating their log-in system to, of course, make things more secure, and it urges people to click on the update button in the email…After the unfortunate victim clicks on the link, they are taken to a false Facebook log-on screen where their user name is kindly filled in for them, they only need to supply their password.”
After a user enters their password, they are prompted to install an Update Tool, aptly named “updatetool.exe”. Another interesting twist to this Phishing attack is that it targets Smartphone users as well. The fake email, when received on a Smartphone, will look exactly like a Facebook notification, complete with icon.
This layer of attack will only properly work if the user has the mobile Facebook application installed. However, considering the millions of Facebook users who access it on their phones, there are plenty of targets for the criminals to choose from.
“Facebook has become phenomenally popular, which makes it a prime target for spammers and cybercriminals. Unprotected email users need to be increasingly aware of the variety of threats that will come to their inboxes posing as legitimate messages. This blended email threat is an interesting twist that seems to have baffled a number of AV engines,” said Dr. Tom Steding, chief executive officer of Red Condor, who also issued an alert on the new Facebook scam. At the time Red Condor detected the threat, only one-third of anti-virus engines had detected it.
As we mentioned when we reported the fist wave of malicious Facebook related emails, it is wise to delete and ignore them. Facebook will never send you an email prompting you to reset a password, or force you to download and install a program to “update” anything.
At the same time, Facebook still does not enforce the use of HTTPS instead of HTTP in the URL for their users. This means that a Phishing page constructed like the one in the latest Phishing scam has a better chance to succeed.
While it isn’t enforced, Facebook users can use https://www.facebook.com when accessing their accounts. This is a good habit to get into, and it goes right along with the advice of never following links inside of emails that appear out of the blue.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story