The bottom falls out of Facebook email malware

Filed Under: Facebook, Malware, Spam

Email claiming to come from FacebookSophosLabs has intercepted a malware attack that has been spammed out, pretending to be a notification about a Facebook friend's sexy video.

Although you may think that as the emails are written in Spanish, they are unlikely to trick many non-speakers to click on the malicious link contained within.

However, an embedded thumbnail of a semi-naked young woman may be enough for many to venture further without thinking of the possible consequences.

I've edited the screenshot below because even after blurring and pixellating, it still looked really rather rude. Anyway, you can still see enough of the email to get the gist of what to look out for in your inbox.

Malicious Facebook email

Miiiii lindoooo!!! ahahahaha este videoo no se lo muestrezzz a nadiesss =$$$$ ziii ?? es solo para tiii!! porque ? yoooo te amoooo muxiiiisisisisizimoooo!!! me gusto muxo tu videooo te requiero montonezzzz!!!! porfiz cuando estez en..

This (very roughly) translates to:

Cutey! Ha ha ha.. don't show this video to anyone. It's only for you! Why? Because I love you! I liked your video a lot..

If you didn't have your wits about you, you might be fooled into believing that you have accidentally found yourself caught between a sexy conversation between two latin lovers.

If you click on a link in the email, however, you are taken to a webpage that tries to download a file called Video_Multimedia.exe to your computer. Sophos intercepts that file as malware, identifying it as Troj/Agent-YGD.

TortoiseSVNCuriously, the executable file contains version information stolen from a legitimate application - TortoiseSVN, a client for Subversion, the Apache version control software.

Presumably the malware authors deliberately chose to steal information from a legitimate application in the hope that it would trick anti-virus scanners into believing that the file was safe.

It's important to understand that these particular emails do not appear to have been sent via Facebook. Although they "borrow" Facebook's logo and styling, they have been deliberately crafted to appear like a legitimate email notification from the social network.

If you're on Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 190,000 people.

, ,

You might like

3 Responses to The bottom falls out of Facebook email malware

  1. Mark Fisher · 686 days ago

    I don't understand how they can steal version information - aren't the apps supposed to be digitally signed?

    • Paul Ducklin · 686 days ago

      The version information itself is just a number of fields of text. You can copy the text and put it into your application easily enough, but you're right that you can't simply copy the digital signature. (This applies to the entire application, not just to the version data, so that you can't change anything in the app without invalidating the signature).

      It would probably have been clearer if Graham had written "version info copied from a legitimate app", but it wouldn't have conveyed the element of dishonesty about it.

      Lawyers will no doubt also notice that the version info wasn't technically "stolen" - just as joyriders TWOC and don't steal when they "borrow" your car - since there was no intent permanently to deprive. Tell that to the Marines!

      That's what happened here. The version info was "taken without consent". In popular parlance, it was lifted, nicked, half-inched, filched, pirated, secretly borrowed... in a word, stolen :-)

  2. Doug Sloan · 685 days ago

    Slightly off topic but still relevant ...apologies
    This is also spilling into the public world, not just the walled garden of facebook... Our MTA is currently receiving 50 emails per second from forged usernames @facebookmail.com
    We push a reject to the server ANYTHING@domain = facebookmail.com REJECT.
    Guess you cant do that inside the facebook environment...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.