Facebook account cancellation malware poses as Adobe Flash update

Facebook account cancellation malware poses as Adobe Flash update

Have you received an email asking you to confirm that you wish to cancel your account?

Be on your guard.

A Naked Security reader was in touch with us earlier today, after his suspicions were aroused by an email he had received – seemingly from Facebook.

Malicious email claiming to come from Facebook

Hi [email address]

We are sending you this email to inform you that we have received an account cancellation request from you. Please follow the link below to confirm or cancel this request

The Facebook Team

To confirm or cancel this request, follow the link below:
click here

Our correspondent was right to be suspicious. The link doesn’t point to an official Facebook page, but a third-party application running on the Facebook platform. Of course, that means that the link *does* go to a facebook.com address – something might fool those who are not cautious.

The first thing you’re likely to encounter if you did click on the link is a message asking you if you want to allow an unknown Java applet to run on your computer.

Java app

And it seems they’re pretty insistent that you allow it.. If you hit the “No thanks” button they’ll just carry on pestering you to allow the Java applet to run.

Nagging screen

The social engineering being used by the tricksters behind this malware attack is pretty cunning. They know that people value their Facebook accounts highly, and many would be upset to lose access to them and the digital connections they have built up with friends and family.

The hope of the cybercriminals is that victims will blindly agree to whatever the computer tells them to do, in order to “fix” the account cancellation request.

The malware attempts to infect your Windows computer

If you do allow the applet to run, you will see a message telling you that Adobe Flash must be updated.

Of course, the code that is downloaded is not really Adobe Flash at all. Instead, the program drops additional files into your /WIN32 folder, which have the intention of allowing remote hackers to spy on your activities and take control of your computer.

Sophos security products detect the malware as Mal/SpyEye-B and Troj/Agent-WHZ, and block access to the website hosting the dangerous code.

Hat-tip: Thanks to SophosLabs researcher Joanne Garvey for her assistance in researching this threat.