Simply Security - News, Views, and Opinions from Trend Micro

Posted on April 18th, 2011 in Current News, Cybercrime by TrendLabs | Be the first to comment |

Facebook has expanded their number of offered services for its numerous users, making the site so much more than a place for users to interact. It has been said in several instances that Facebook is bound to replace email as a means of communication, as it provides a more convenient way for users to send messages.

It is this convenience that was leveraged by cybercriminals in a recent spam run we’ve seen, offering users to download an application called Facebook Messenger to make it easier for them to access messages sent to their Facebook account.

The attack starts with spammed messages that appear similar to a Facebook notification. The email message alerts the user of a message sent to their Facebook account, and tells the user to click a link to view the message. Once the user clicks the message, however, they will see a download page for an application called Facebook Messenger.

The downloaded file named FacebookMessengerSetup.exe, is malicious and detected as BKDR_QUEJOB.EVL.

BKDR_QUEJOB.EVL opens TCP Port 1098 to listen for commands sent by a malicious attacker. The nature of the commands may include updating the malicious file, downloading and executing other malicious files, and starting certain processes. Furthermore, it also queries the system for information such as installed antivirus products and OS version, and then sends the gathered information to a certain SMTP.

More Attacks Targeting Facebook Users

It seems like cybercriminals have got their eyes set particularly on Facebook users these days, as this is not the only attack we’ve seen targeting users of the popular social networking site in the past couple of days.

In another spam attack, recipients are told that their Facebook password is unsafe, and are told to open an attached document which contains their new password and information on how they can further secure their account. Ironically, the said document is actually a malware and is now detected as TROJ_DOFOIL.VI.

We’ve also seen attacks similar to the one we reported before which exploits the Facebook Events feature. This time however, the social engineering lure used is yet another popular Facebook feature — Credits.

Users are told that there is a glitch in Facebook’s system that allows them to add credit to their attack by simply following a set of instructions. Similar to the technique used in the Facebook Stalker Tracker attack, users are told to copy a piece of code and paste it into the web browser. Executing the said script results in the creation of an event, and the invitation of the affected user’s contacts. The event contains spammy information such as links to the Canadian Pharmacy.

The script used to create the spam event is now detected as JS_OBFUS.PB.

Trend Micro users are already protected from the above mentioned threats through the Trend Micro Smart Protection Network. Facebook users need to be aware that such schemes, among others, are very rampant on the network. Extreme caution before clicking links is strongly advised. Users may check out our comprehensive report, Spam, Scams and Other Social Media Threats.

Added text and analysis by Dhan Praga and Harry Reynoso

Post from: TrendLabs | Malware Blog – by Trend Micro