MX Lab detected a large new campaign targetting Facebook users. The campaigns combines phishing techniques with the download of malware and a PDF exploit from the web site.
The phishing campaign has the same characteristics of the previous campaign that we have posted:
Facebook account update (part 1)
Facebook account update (part 2)
The message is being sent from the spoofed address “Facebook <email@example.com>” and has various subjects:
Facebook account update
Facebook update tool
New login system
This is the body of the phishing/malware email:
The included leads to hxxp://www.facebook.com.jjjiok.org.uk/global_directory/MyAccount.php?ref=520***&email=***@***.com.
The phishing web site contains instructions on how to update your account.
In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account.
A new Facebook Update Tool has been released for your account. Please download and install the tool using the link below:
* Do not use the same password that you use for other online accounts.
* Your new password must be at least 6 characters in length.
* Use a combination of letters, numbers, and punctuation.
* Passwords are case-sensitive. Remember to check your CAPS lock key.
On this page you can see a web page where you need to confirm your old and new password and the download link to the file updatetool.exe that leads to hxxp://www.facebook.com.jjjiok.org.uk/global_directory/updatetool.exe.
When we have visited the first time the phishing site, an automated download was executed of the file pdf.pdf.
As expected, this PDF contains an exploit. When we submitted the PDF file for examination to Virus Total we got the names EXP/Pidief.FV (Antivir), Exploit.PDF-JS.Gen (BitDefender), Exploit.PDF-JS.Gen (GData), Exploit:Win32/Pdfjsc.CM (Microsoft) and Troj/PDFEx-CD (Sophos).
AV detection rate: 9/40 AV engines did detected the threat
Virus Total permlink and MD5: 93cba9349ecc8fb605c7932be0cdc9c6
AV detection rate: 6/40 AV engines did detected the threat
Virus Total permlink and MD5: 095fe570f78c322c8e358c656816c200.