Tuesday, September 23, 2008

Facebook Email Spoof Contains Trojan Horse

Websense® Security Labs(TM) ThreatSeeker(TM) Network has discovered a new malicious social-engineering spam campaign masquerading as official emails sent by the popular Web 2.0 social-networking site, Facebook. The email is spoofed to appear from the domain facebookmail.com, an official domain used by Facebook for their outbound emails when notifying their users of an event.

It is common for Facebook to send an email to notify their users when another Facebook user adds them as a friend on the social network. However, the spammers included a zip attachment that purports to contain a picture in order to entice the recipient to double-click on it. The attached file is actually a Trojan horse.

A login page to Facebook is included in the body of the email. We have previously alerted on our discovery via our HoneyJax system about a viral Facebook phishing campaign, and thus would not be surprised if the login page presented was merely a fake front to a phishing site. However, an examination of the HTML form's source code shows that it was indeed passing the user name/password to Facebook itself. This may be to increase the legitimacy of the email to evade reputation-based spam filters.

To view the details of this alert, click here.