Facebook account cancellation malware poses as Adobe Flash update

Filed Under: Adobe Flash, Facebook, Featured, Java, Malware, Social networks, Spam

Have you received an email asking you to confirm that you wish to cancel your account?

Be on your guard.

A Naked Security reader was in touch with us earlier today, after his suspicions were aroused by an email he had received - seemingly from Facebook.

Malicious email claiming to come from Facebook

Hi [email address]

We are sending you this email to inform you that we have received an account cancellation request from you. Please follow the link below to confirm or cancel this request

The Facebook Team

To confirm or cancel this request, follow the link below:
click here

Our correspondent was right to be suspicious. The link doesn't point to an official Facebook page, but a third-party application running on the Facebook platform. Of course, that means that the link *does* go to a facebook.com address - something might fool those who are not cautious.

The first thing you're likely to encounter if you did click on the link is a message asking you if you want to allow an unknown Java applet to run on your computer.

Java app

And it seems they're pretty insistent that you allow it.. If you hit the "No thanks" button they'll just carry on pestering you to allow the Java applet to run.

Nagging screen

The social engineering being used by the tricksters behind this malware attack is pretty cunning. They know that people value their Facebook accounts highly, and many would be upset to lose access to them and the digital connections they have built up with friends and family.

The hope of the cybercriminals is that victims will blindly agree to whatever the computer tells them to do, in order to "fix" the account cancellation request.

The malware attempts to infect your Windows computer

If you do allow the applet to run, you will see a message telling you that Adobe Flash must be updated.

Of course, the code that is downloaded is not really Adobe Flash at all. Instead, the program drops additional files into your /WIN32 folder, which have the intention of allowing remote hackers to spy on your activities and take control of your computer.

Sophos security products detect the malware as Mal/SpyEye-B and Troj/Agent-WHZ, and block access to the website hosting the dangerous code.

Hat-tip: Thanks to SophosLabs researcher Joanne Garvey for her assistance in researching this threat.

, , , ,

You might like

18 Responses to Facebook account cancellation malware poses as Adobe Flash update

  1. groverdine · 1235 days ago

    Wow, the hacker community is getting smarter by the minute. Scary stuff.

    • JustMe · 1235 days ago

      Don't ever think the hacker community isn't leaps and bounds more intelligent than the rest of us... They are.

      • Kraggy · 1234 days ago

        The majority of the 'hacker' community isn't so very intelligent, most of these 'hacks' use toolkits created by the few who are very bright.

        Thing is, it's just a sad fact that the majority of users of systems like Facebook are just stupid and mindlessly click on anything, as this blog points out, which is why this sort of attack works so widely.

  2. Mike · 1235 days ago

    Thanks again, Sophos!

  3. havenasp · 1235 days ago

    Why hide the URL ip address?

  4. shadywilbury · 1235 days ago

    That really is bizarre. I got a comment on my blog earlier today that contained a link to a page which downloaded the "Adobe update" - as a zip file. Luckily I'm in Chrome, so it didn't do anything, but I was confused by that.

  5. trudy tayler · 1235 days ago

    i dont know wat we would do with out you .thank you

  6. Sharon · 1234 days ago

    I also got a pop up telling me I needed to update my Java. I didn't do it but planned to later. Glad I got the message!

    • Yorgos · 1234 days ago

      are you sure that it wasn't a notice by Java itself, your browser or even windows? In that case you should actually act on it promptly.

  7. Sean Taylor · 1234 days ago

    Why inform us of the Malware and then hide the URL addresses?

  8. lewis · 1234 days ago

    this has been out for ages now and there in hundreads of public guides on how to create your own java-applet, in the hacker world its nown as a java-driveby (JDB).

    Its facebook fault in this issue for allowing such malacious applets for being hosted on there site, as i have said previously in otehr posts facebook should have ther own deticated team that manual inspect all applications created on tehre site.

    Also these hackers are noobs compared to otheres i have seen, it is so easy to use email spoofer and tehy could off put support@facebook.com or whatever they please. Although facemail.com shown in the pic is enough to fool the average FB user.

    good read cheers sophos again

    • njorl · 1233 days ago

      Spot on: "The link doesn't point to an official Facebook page, but a third-party application running on the Facebook platform."

      As I read through the article, I was surprised Mr Cluley didn't emphasise that point.

      We're all used to malicious spam using pages on (often, hacked) domains that are unrelated to the supposed sender (and the better e. mail programs print out the actual link target, rather than the display one, when they spot this trick) but a link we can verify does go to the correct domain could catch out all but the ultra-wary amongst us.

      A $104 billion company should be taking much better care of its customers. (Only the other day, we were berating poor little Adobe - under $6 billion - because it hadn't been keen to hand out a fix of some obscure security bug in ancient versions of its product.)

      • lewis · 1233 days ago

        I tottally agrre with you, and after reading my post i am ver ashamed about my spelling :/ i have dyslexia

  9. Randy · 1234 days ago

    I would be suspicious simply because of the idea that Facebook would allow anybody to cancel their account so easily. If it's too good to be true then it probably isn't.

  10. Peter J Taylor · 1234 days ago

    Yesterday I received an invitation to update Java on OSX 10.7 Lion. I followed the instructions and installed it on Firefox, with no ill effects (yet!).
    I presume that if it had been malware, I would have got the request to allow an unknown applet to access my computer. No such pop-up appeared.
    Also if it had been malware, Sophos would have intercepted it. Am I right?

    • lewis · 1233 days ago

      You still may be infected this could of been whats know as a silent java drive by, which installs a trojan/virus on ure machine with out and kind of warning e.t.c

      Im sure that if i was sophos should pick up suspicious activity within the computer, also just make sure you keep sophos upto-date and perform rgular scans.

      Im not trying to scare you im just stating what is a possibility.

      cheers Lewis

  11. Penguin · 1233 days ago

    Keep using Windows.

  12. These people aren't hackers, guys! They are called crackers. In the entire world, there are only a few hackers and they're not interested in your FB info. They're not interested in social networking, at all. This is called cracking. Only in their dreams would crackers even come close to hacking. Crackers suck, really, cause what they do is, use most users ignorance, cause lots of trouble, even try to install chaos, among people. It's a pain, I know, but this isn't hacking, this is cracking.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley