Furtive French photos feign as Facebook, but it's a malware attack

Filed Under: Featured, Malware, Spam

French girl. Image from ShutterstockMalware attacks spammed to your inbox, posing as intimate photographs, are nothing new of course.

We've seen plenty of examples of such tactics being used by cybercriminals in the past: topless supermodel photos used to spread Mac malware, photos of an English football star caught in the act with a prostitute offered by Facebook scammers, and complete strangers offering naked pictures as they hunt for a sex partner.

Unless you're in a profession which makes it normal for complete strangers to email you naked pictures, chances are that you would find such messages slightly out of the ordinary.

You might even suspect that some mischief was afoot.

But worryingly, many people would still find it impossible to resist clicking on the attachment to see more.

We have intercepted a malware campaign in the last 24 hours, which adds a Gallic flavour to things.

Here's what a typical email looks like:

Malicious email written in quasi-French

Subject: Facebook

Message body:
Bonjour Man, [email address]

Je ne sais pas comment le dire, mais je n'ai tryed avant longtemps de vous envoyer quelques photos, mais j'ai pensé que vous n'êtes pas intéressé à me voir.
Mais maintenant, je vais vous envoyer les photos dans la pièce jointe.
Téléchargez les photos et ils extraient, je suis sûr que vous qu'ils aiment. Le mot de passe est: 123456

Passez une excellente journée.

Attached to the email is a file called DC24154.zip.

Clearly, the email above is written in French. But you may not realise that it is written in rather poor quality French.

Interestingly, the email uses the polite formal style of French ("vous" rather than "tu"), which considering its intimate subject matter is somewhat unusual. Chances are that whoever was behind the campaign is not a native French speaker, but has used an online translation tool instead.

If you cannot cope with the quasi-French, here is a translation supplied by my colleague Carole Theriault:

Subject: Facebook

Message body:
Hello [email address]

I don't know how to tell you this, but I have tried for a long time to send you a few photos, but I thought that you weren't interested in seeing me.

But now, I will send you the photos attached here in this email.

Download the photos and extract them. I'm sure that you will love them. The password is: 123456

Have a great day.

The malicious file has a Facebook-like iconInside the spammed-out ZIP file is a malicious file called DC24145.EXE, which has a Facebook-like icon and carries a (fake) digital signature claiming to be issued by German anti-virus firm Avira GmbH.

Sophos detects the malware as Mal/VB-AER and Troj/ZbotMem-B. The criminals behind the attack may have imagined that encrypting the ZIP with a password would have fooled anti-virus filters but they were mistaken. :)

French keyboardThose with long memories may recall that last year Naked Security warned about an English-language malware campaign that was spammed out last year in a very similar style.

Could it be that someone is taking a punt, and has simply taken the wording of an English malware campaign and converted it into French in the hope of finding new victims?

Whether you're a Francophile or not, don't allow malware to infect your computer. You should always be suspicious of unsolicited email attachments that are emailed to you out of the blue, and ensure that you have proper defences in place to protect against malware and spam threats.

French girl image, courtesy of Shutterstock.

, ,

You might like

3 Responses to Furtive French photos feign as Facebook, but it's a malware attack

  1. alyafi · 775 days ago

    Hi,
    The french message has a speeling fault: "tryed" is not french!
    In the mean time, Hotmail users were subject to a similar hacking methode. A message with an attached file when opened will ask you to login . Thus, your passord is captured.
    Mail accounts were mostly used for spaming.

  2. Richard P · 774 days ago

    It looks like a machine translation into French of a poor-quality English original. In particular, there is a word "tryed" which is not French at all, but probably a misspelled original word which was ignored by the machine translation.

  3. Snert · 774 days ago

    IF I ever open any unsolicited email like this I'll do it in a sandbox just to see what's in it..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.