Scam of the day – Bredos targeting Facebook

Today we have seen a surge in emails pretending to be from the social networking site Facebook.

The message suggests that Facebook has modified the user’s password to enhance user safety and that the new password is in a attached document. The message looks like this:


Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

The Facebook Team.

Content-Type: application/zip; name=""
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=""

The attachment is called “Facebook_details_<some number>.zip”. This attachment is malicious and should not be opened.

Sophos detected this file as Troj/BredoZp-AD and the executable inside the zip file as Troj/Bredo-BN.