Have you received an email asking you to confirm that you wish to cancel your account?
Be on your guard.
A Naked Security reader was in touch with us earlier today, after his suspicions were aroused by an email he had received – seemingly from Facebook.
Hi [email address]
We are sending you this email to inform you that we have received an account cancellation request from you. Please follow the link below to confirm or cancel this request
The Facebook Team
To confirm or cancel this request, follow the link below:
Our correspondent was right to be suspicious. The link doesn’t point to an official Facebook page, but a third-party application running on the Facebook platform. Of course, that means that the link *does* go to a facebook.com address – something might fool those who are not cautious.
The first thing you’re likely to encounter if you did click on the link is a message asking you if you want to allow an unknown Java applet to run on your computer.
And it seems they’re pretty insistent that you allow it.. If you hit the “No thanks” button they’ll just carry on pestering you to allow the Java applet to run.
The social engineering being used by the tricksters behind this malware attack is pretty cunning. They know that people value their Facebook accounts highly, and many would be upset to lose access to them and the digital connections they have built up with friends and family.
The hope of the cybercriminals is that victims will blindly agree to whatever the computer tells them to do, in order to “fix” the account cancellation request.
If you do allow the applet to run, you will see a message telling you that Adobe Flash must be updated.
Of course, the code that is downloaded is not really Adobe Flash at all. Instead, the program drops additional files into your /WIN32 folder, which have the intention of allowing remote hackers to spy on your activities and take control of your computer.
Sophos security products detect the malware as Mal/SpyEye-B and Troj/Agent-WHZ, and block access to the website hosting the dangerous code.
Hat-tip: Thanks to SophosLabs researcher Joanne Garvey for her assistance in researching this threat.
18 comments on “Facebook account cancellation malware poses as Adobe Flash update”
Wow, the hacker community is getting smarter by the minute. Scary stuff.
Don't ever think the hacker community isn't leaps and bounds more intelligent than the rest of us… They are.
The majority of the ‘hacker’ community isn’t so very intelligent, most of these ‘hacks’ use toolkits created by the few who are very bright.
Thing is, it’s just a sad fact that the majority of users of systems like Facebook are just stupid and mindlessly click on anything, as this blog points out, which is why this sort of attack works so widely.
Thanks again, Sophos!
Why hide the URL ip address?
That really is bizarre. I got a comment on my blog earlier today that contained a link to a page which downloaded the "Adobe update" – as a zip file. Luckily I'm in Chrome, so it didn't do anything, but I was confused by that.
i dont know wat we would do with out you .thank you
I also got a pop up telling me I needed to update my Java. I didn't do it but planned to later. Glad I got the message!
are you sure that it wasn't a notice by Java itself, your browser or even windows? In that case you should actually act on it promptly.
Why inform us of the Malware and then hide the URL addresses?
this has been out for ages now and there in hundreads of public guides on how to create your own java-applet, in the hacker world its nown as a java-driveby (JDB).
Its facebook fault in this issue for allowing such malacious applets for being hosted on there site, as i have said previously in otehr posts facebook should have ther own deticated team that manual inspect all applications created on tehre site.
Also these hackers are noobs compared to otheres i have seen, it is so easy to use email spoofer and tehy could off put firstname.lastname@example.org or whatever they please. Although facemail.com shown in the pic is enough to fool the average FB user.
good read cheers sophos again
Spot on: "The link doesn't point to an official Facebook page, but a third-party application running on the Facebook platform."
As I read through the article, I was surprised Mr Cluley didn't emphasise that point.
We're all used to malicious spam using pages on (often, hacked) domains that are unrelated to the supposed sender (and the better e. mail programs print out the actual link target, rather than the display one, when they spot this trick) but a link we can verify does go to the correct domain could catch out all but the ultra-wary amongst us.
A $104 billion company should be taking much better care of its customers. (Only the other day, we were berating poor little Adobe – under $6 billion – because it hadn't been keen to hand out a fix of some obscure security bug in ancient versions of its product.)
I tottally agrre with you, and after reading my post i am ver ashamed about my spelling :/ i have dyslexia
I would be suspicious simply because of the idea that Facebook would allow anybody to cancel their account so easily. If it's too good to be true then it probably isn't.
Yesterday I received an invitation to update Java on OSX 10.7 Lion. I followed the instructions and installed it on Firefox, with no ill effects (yet!).
I presume that if it had been malware, I would have got the request to allow an unknown applet to access my computer. No such pop-up appeared.
Also if it had been malware, Sophos would have intercepted it. Am I right?
You still may be infected this could of been whats know as a silent java drive by, which installs a trojan/virus on ure machine with out and kind of warning e.t.c
Im sure that if i was sophos should pick up suspicious activity within the computer, also just make sure you keep sophos upto-date and perform rgular scans.
Im not trying to scare you im just stating what is a possibility.
Keep using Windows.
These people aren’t hackers, guys! They are called crackers. In the entire world, there are only a few hackers and they’re not interested in your FB info. They’re not interested in social networking, at all. This is called cracking. Only in their dreams would crackers even come close to hacking. Crackers suck, really, cause what they do is, use most users ignorance, cause lots of trouble, even try to install chaos, among people. It’s a pain, I know, but this isn’t hacking, this is cracking.