Facebook subject to campaign that combines phishing and malware

December 8, 2009 by mxlab 2 Comments

MX Lab detected a large new campaign targetting Facebook users. The campaigns combines phishing techniques with the download of malware and a PDF exploit from the web site.

The phishing campaign has the same characteristics of the previous campaign that we have posted:

Facebook account update (part 1)
Facebook account update (part 2)

The message is being sent from the spoofed address “Facebook <update+umxlabvkqxqrig@facebookmail.com>” and has various subjects:

Facebook account update
Facebook update tool
New login system

This is the body of the phishing/malware email:

The included leads to hxxp://www.facebook.com.jjjiok.org.uk/global_directory/MyAccount.php?ref=520***&email=***@***.com.

The phishing web site contains instructions on how to update your account.

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security. Before you are able to use the new login system, you will be required to update your account.
A new Facebook Update Tool has been released for your account. Please download and install the tool using the link below:

updatetool.exe

* Do not use the same password that you use for other online accounts.
* Your new password must be at least 6 characters in length.
* Use a combination of letters, numbers, and punctuation.
* Passwords are case-sensitive. Remember to check your CAPS lock key.

Old Password:
New Password:
(required) ?
Confirm Password:
(required)

On this page you can see a web page where you need to confirm your old and new password and the download link to the file updatetool.exe that leads to hxxp://www.facebook.com.jjjiok.org.uk/global_directory/updatetool.exe.

When we have visited the first time the phishing site, an automated download was executed of the file pdf.pdf.

As expected, this PDF contains an exploit. When we submitted the PDF file for examination to Virus Total we got the names EXP/Pidief.FV (Antivir), Exploit.PDF-JS.Gen (BitDefender), Exploit.PDF-JS.Gen (GData), Exploit:Win32/Pdfjsc.CM (Microsoft) and Troj/PDFEx-CD (Sophos).

pdf.pdf:

AV detection rate: 9/40 AV engines did detected the threat
Virus Total permlink and MD5: 93cba9349ecc8fb605c7932be0cdc9c6

Updatetool.exe:

AV detection rate: 6/40 AV engines did detected the threat
Virus Total permlink and MD5: 095fe570f78c322c8e358c656816c200.

Filed under Phishing, Viruses Tagged with , , , ,

2 Responses to Facebook subject to campaign that combines phishing and malware

  1. Atticus says:
    December 30, 2009 at 4:08 pm

    Ok, I just received this email and, thinking it was legit, foolishly tried to “Update my Account.”

    The email directed me to what appeared to be the facebook login page. Once I logged in, it automatically directed me to a page titled “My Account” where it prompted me to submit my name and country.

    Obviously, this is a well thought out campaign. Needless to say, I’m now a little worried about my facebook account.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>