Fake Facebook notification delivers keylogger

SmartNA PortPlus - High Performance Visibility Solutions that scale with your network.

Fake Facebook notifications about changes in users’ account information have been hitting inboxes and delivering malware to unwary users, warn BarracudaLabs researchers.

The email address of the sender is spoofed to make it look like it has been sent by the social network, and the message contains only an image implying that the recipient needs to install Silverlight (Microsoft’s answer to Adobe Flash) in order to view the content:

Hovering with mouse over the image shows that the offered file is a Windows PIF file (a type of executable file) and that is hosted on a IP address in Malaysia. Sadly, the innocuous looking file is actually a keylogger – the Jorik Trojan.

The real beauty of the scheme shows itself once the user clicks to download the file. As Trojans are also executables, the usual Windows warning about downloading and running potentially harmful software is not out of place but is unfortunately often automatically disregarded by users.

Once the keylogger is installed, it starts recording every keystroke and Web page title into a disk file, which is ultimately sent to a C&C server operated by cyber criminals.