A new spam campaign is targeting Facebook users. It uses the same approach as the recent one aimed at WhatsApp users, and Comodo researchers believe that the authors of both campaigns are likely the same.
The fake emails are made to look like an official communication from the popular social network, and their goal is to make the victims believe they have received a voice message:
As in the previous WhatsApp campaign, the subjects of the emails contain a set of random characters (e.g. “An audio announcement has been delivered! Lucqmc”, “You got a vocal memo! Fcqw”).
“These are most likely being used to bypass antispam products rather than identify the user,” the researchers posited.
The attachment that the recipients are urged to download and open contains a malicious executable – a variant of the Nivdort information-stealing Trojan.
Once run, the malware will automatically replicate itself into “C:\” directory and add a Windows Registry entry that will allow it to run automatically after each restart or shutdown of the machine.
It also attempts to prevent users from accessing websites of AV vendors (by modifying the Windows Hosts file) and attempts to disable Firewall notifications from the Windows Security Center (with another Windows Registry modification), which may make it difficult to spot and remove.
“In this age of cyberattacks, being exposed to phishing is a destiny for every company, well-known or not. It may not be the most groundbreaking attack method cybercriminals use – but there’s no denying that they’re becoming more clever when crafting their messages,” noted Fatih Orhan, Director of Technology for Comodo and the Comodo Threat Research Lab.
“More frequently, they’re using ‘too good to be true’ promises and action-oriented language in the subject lines to entice recipients to open the emails, click the links or attachments and spread the malware.”