Malware spread as Facebook photo tag notification

Filed Under: Facebook, Malware, Social networks, Spam, Vulnerability

Malicious emails, claiming to come from FacebookBe wary of emails claiming to be from Facebook, and saying that you have been tagged in a photograph.

Because it might be that you're the next potential victim of a malware attack.

SophosLabs has intercepted a spammed-out email campaign, designed to infect recipients' computers with malware.

Here is an example of what a typical email can look like:

Malicious email claiming to come from Facebook

Subject: Christine McLain Gibbs tagged a photo of you on Facebook
From: Facebook <>

(Did you notice what was odd about the email? The 'from' address misspells Facebook as "Faceboook" with three "o"s)

If you click on the link in the email, you are not taken immediately to the real Facebook website.

Instead, your browser is taken to a website hosting some malicious iFrame script (which takes advantage of the Blackhole exploit kit, and puts your computer at risk of infection by malware).

Malicious script

To act as a smokescreen, however, within four seconds your browser is taken via a META redirect to the Facebook page of a presumably entirely innocent individual.

Facebook page

SophosLabs are adding detection of the malware as Troj/JSRedir-HW.

Please be on your guard. You would have been protected from this threat if you had kept your wits about you.

Even if you didn't notice that "Faceboook" was spelt incorrectly, you could have seen by hovering your mouse over the link that it wasn't going to take you directly to the genuine Facebook website.

If you don't take the right steps to protect your computer, one day a cybercriminal might find the right social engineering trick to dupe you into making a bad decision or visit a dangerous website.

Hat-tip: Thanks to Anna and Fraser in SophosLabs for their assistance with this article.

Fly image, courtesy of Shutterstock.

, , , , ,

You might like

19 Responses to Malware spread as Facebook photo tag notification

  1. Phil R · 1142 days ago

    Is it time we got into the habit of authenticating more emails in the same way as we trust that little padlock in our web browsers? With phishing scams so widespread but more and more information being pumped at us this is hardly to be the last we'll see of these scams.

    Sophos always does well, but a lot of its protection (besides education like this) is re-active. You have to wait for someone to be duped before you fix it.

  2. Holly · 1142 days ago

    OK, so what do we do if we clicked on it?

  3. Nicelhady · 1141 days ago

    How to share this on fb?

  4. Sam · 1141 days ago

    It would be really nice if journalists proofread their articles and used the correct word... it's "spelled" not "spelt".. unless of course you are hungry...

    • Or.. unless of course you're English. :)

      Which I am.

      Hence "Spelt" is perfectly correct for me to use. I'm going to take a guess that you're American. :)

      • Marc · 1141 days ago

        Kudos Sir, well played :)

      • D Albano · 1140 days ago

        Spelt is also correct in the northern half of North America...

      • Dick · 1140 days ago

        Indeed, there are many Englishes. American and British English are merely two among probably dozens. English is used as official language in many countries and regions, and each one has its own variations.

    • ATG · 1137 days ago

      It is only proper to correct the mistakes of your children and/or your students. All others are off limits. It is in poor taste, and Miss Manners forbids it. We are better served by taking a stab at understanding the intended message despite discrepancies in the graphical means of conveying it. Do you see that you have completely stomped on the communication that was being offered? Why would you think we prefer that to the discussion we were interested in reading about?

      Back on topic, the misspelled words in malicious emails are the most common clues that something isn't right.

  5. Kater48 · 1141 days ago

    You're right Graham. My dictionary defines 'spelt' as the "pt. & pp. of spell". But I agree with Sam that folks should check their spelling and grammar. Have a good one, everybody.

  6. @_BrianMahoney · 1141 days ago

    This is still being used...without the three o's in the word Facebook. They are also using the same person's name, that's how I found this article.
    The links show '' which is a Christian site and the IP address shows as Site5 hosting. I've notified both in the hopes that they can track down the source.

  7. John Hicks · 1141 days ago

    The article implies that if "faceboook" had been "spelt" correctly, there would be less risk. In reality, the "from" address on any email can be easily faked .. by anyone.

    The most meaningful precaution to take is to check each link by hovering your mouse over it (or by viewing the source of the email). This should be done before clicking on any link in ANY email, even mail supposedly from friends.

    But even here you must be able to distinguish between legitimate links and faked links crafted to appear to be legitimate.

    For example: leads to the real Facebook site, but leads to a different domain entirely.

  8. Many of facebook users are get caught even by more obvious methods. It is better to turn off those facebook alerts because most of the people access facebook more often than their email...

  9. Dan · 1140 days ago

    There's a lot to be said for doing general browsing and mail reading in a properly secured linux VM, using a non-privileged account.

  10. Dean Allen · 1140 days ago

    I found a simular e-mail from Facebook
    "Hi ,
    Amanda Phillips commented on your Wall post.
    Amanda wrote: "f____ you retard!"

    See the comment thread
    Reply to this email to comment on this post.
    The Facebook Team"
    (I took out the f word)
    The links take you to: www.*******.com/web.html

    I opened it inadvertently on my iPad and Macbook Pro nothing seemed to happen then it went to Facebook. every I can find on the web indication is Safari is not suceptable to the this malware, but you never know. I cleared & Reset my browser. Anybody know anything more?

    • Thanks for the info. (I've excised the url in your comment above to protect others)

      The email you saw was certainly a similar malware campaign - which Sophos blocks as Mal/Iframe-W. As far as we have found the attack was designed to infect Windows computers, so your Mac should be fine.

      But there, is of course, no harm in running an up-to-date anti-virus on your Mac. Our product is free for home users -

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley