Facebook users should be on the lookout for an email threat that is posing as a message from Facebook administrators. The message contains both a phishing scam and a notorious “banking Trojan” virus.
A link within the spam email takes users to a spoofed Facebook login page requesting the user’s Facebook account information. After entering their credentials, users are then prompted to download “updatetool.exe” which is a Zbot Trojan variant.
According to Red Condor’s security experts the spoofed Facebook login page uses www.facebook.com in the sub-domain portion of the malicious URL. As a result, people with small screen resolution or small browser windows/address bars size might think they are actually on Facebook’s login page.
The Trojan associated with this threat installs a sophisticated “banking Trojan” that is known to scour the infected hard-drive for personal banking information and various login credentials, as well as perform key logging and other nefarious activities.
In media reports from yesterday and today, security researchers uncovered a separate Facebook spoof email with downloadable files that included the Trojan virus Bredolab. This email threat was masked as the “Facebook Password Reset Confirmation.” The threat identified today by Red Condor refers instead to implementing a new login system that will affect all Facebook users.
“Given the comfort level that millions of users have with Facebook, we want to make sure that everyone knows that there are multiple spoofed Facebook emails hitting inboxes, and that the blended threat email we are warning about is different than the one many media outlets have already reported,” stated Dr. Tom Steding, CEO of Red Condor. “Facebook has become phenomenally popular, which makes it a prime target for spammers and cybercriminals. Unprotected email users need to be increasingly aware of the variety of threats that will come to their inboxes posing as legitimate messages. This blended email threat is an interesting twist that seems to have baffled a number of AV engines.”