Sophos Cloud Optix
SophosLabs has intercepted a malware attack that has been spammed out, pretending to be a notification about a Facebook friend’s sexy video.
Although you may think that as the emails are written in Spanish, they are unlikely to trick many non-speakers to click on the malicious link contained within.
However, an embedded thumbnail of a semi-naked young woman may be enough for many to venture further without thinking of the possible consequences.
I’ve edited the screenshot below because even after blurring and pixellating, it still looked really rather rude. Anyway, you can still see enough of the email to get the gist of what to look out for in your inbox.
Miiiii lindoooo!!! ahahahaha este videoo no se lo muestrezzz a nadiesss =$$$$ ziii ?? es solo para tiii!! porque ? yoooo te amoooo muxiiiisisisisizimoooo!!! me gusto muxo tu videooo te requiero montonezzzz!!!! porfiz cuando estez en..
This (very roughly) translates to:
Cutey! Ha ha ha.. don't show this video to anyone. It's only for you! Why? Because I love you! I liked your video a lot..
If you didn’t have your wits about you, you might be fooled into believing that you have accidentally found yourself caught between a sexy conversation between two latin lovers.
If you click on a link in the email, however, you are taken to a webpage that tries to download a file called Video_Multimedia.exe to your computer. Sophos intercepts that file as malware, identifying it as Troj/Agent-YGD.
Curiously, the executable file contains version information stolen from a legitimate application – TortoiseSVN, a client for Subversion, the Apache version control software.
Presumably the malware authors deliberately chose to steal information from a legitimate application in the hope that it would trick anti-virus scanners into believing that the file was safe.
It’s important to understand that these particular emails do not appear to have been sent via Facebook. Although they “borrow” Facebook’s logo and styling, they have been deliberately crafted to appear like a legitimate email notification from the social network.
If you’re on Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 190,000 people.
I don't understand how they can steal version information – aren't the apps supposed to be digitally signed?
The version information itself is just a number of fields of text. You can copy the text and put it into your application easily enough, but you're right that you can't simply copy the digital signature. (This applies to the entire application, not just to the version data, so that you can't change anything in the app without invalidating the signature).
It would probably have been clearer if Graham had written "version info copied from a legitimate app", but it wouldn't have conveyed the element of dishonesty about it.
Lawyers will no doubt also notice that the version info wasn't technically "stolen" – just as joyriders TWOC and don't steal when they "borrow" your car – since there was no intent permanently to deprive. Tell that to the Marines!
That's what happened here. The version info was "taken without consent". In popular parlance, it was lifted, nicked, half-inched, filched, pirated, secretly borrowed… in a word, stolen 🙂
Slightly off topic but still relevant …apologies
This is also spilling into the public world, not just the walled garden of facebook… Our MTA is currently receiving 50 emails per second from forged usernames @facebookmail.com
We push a reject to the server ANYTHING@domain = facebookmail.com REJECT.
Guess you cant do that inside the facebook environment…