San Francisco — On the heels of one fake Facebook pishing scam, a new computer virus gangs are bombarding Facebook members with targeted fake emails, using the popular social-networking websites brand to trick unsuspecting users into downloading potentially vicious malware hoping to get control of members’ Facebook and other accounts — a rising type of cybercrime. “Bredolab” Trojan lets cyber criminals control personal computers, reaches at least 735,000 users.
The attack, which started Monday afternoon, according to e-mail security vendor Cloudmark, targets Facebook users with a spoofed message that claims recipients’ Facebook passwords have been reset as a security measure. In the latest pishing attack is being fired to e-mail in-boxes, a legitimate-looking Facebook notice asks people to provide information to help the social network update its log-in system, said Fred Touchette, a senior security analyst at AppRiver. The messages, which come bearing subject lines such as “Facebook Password Reset Confirmation,” include a file attachment that supposedly contains the new password.
As soon as the user clicks the “update” button in the e-mail, a phoney Facebook log-in screen appears where their user name is already filled in and they are prompted to provide their password.
This is the prompt Facebook users get as part of the latest phishing scam. Downloading the “update tool” installs a Trojan. (Credit: AppRiver)
In fact, there is a deadly attached .zip file that contains a Trojan downloader, dubbed “Bredlab” by some antivirus companies, “Bredolab” by others. These emails claims to come from support@facebook.com, and once downloaded, the virus offers the sender complete control of the target computer, allowing cyber criminals to potentially spy on users of the computer or use it to steal personal information or distribute more spam.
Paul Wood, a MessageLabs Intelligence senior analyst for Symantec Hosted Services, said his research firm first noticed the new variant of the virus Monday afternoon. And, at its peak, the virus accounted for 30 percent of all malware observed.
At this time, Facebook is unable to do anything, beyond advising its members to become cautious to slow down these attacks. “This virus has been spreading over email, not on Facebook,” says Facebook spokesman Simon Axten. “We are educating users on how to detect this through the Facebook Security Page.”
This is a screen shot of the message in the body of the fake Facebook e-mail. (Credit: AppRiver)
A large number of security vendors, including Symantec, Trend Micro, MX Lab and Websense, have put out warnings about the attack campaign. “This variant of Bredolab connects to a Russian domain and the infected machine is most likely becoming part of a Bredolab botnet,” said Shunichi Imano, a security researcher at Symantec, in a post to the firm’s security blog.
Jamie Tomasello, Cloudmark’s abuse operations manager, said today that her company alone has detected nearly three-quarters of a million phony Facebook messages since Monday, and nearly 250,000 in the last 24 hours. “Our count continues to go up, and is at about 735,000 now,” said Tomasello. “It is a pretty high volume.”
According to Tomasello, both desktop clients and ISPs that use Cloudmark to filter potentially malicious mail have reported receiving the fake Facebook e-mail.
Also, users of smart phones having the Facebook app installed can also easily be fooled because the phishing e-mail appears as an actual Facebook notification complete with Facebook icon, he said. The message is received in the e-mail in-box on the phone as well as under the Facebook notification section in the app itself, Touchette added.
“People are very addicted to their Facebook accounts. They are so accustomed to communicating frequently and rapidly all the time,” says Tomasello. “They are aware of all the attacks, and are concerned about them. Yet many of them believe this is a legitimate security message from Facebook that got inadvertently sent to their junk mail folder.”
In one of the current attacks, the crooked guys are directing an army of computers they have previously infected to systematically send out individual email messages to millions of Facebook members.