The bottom falls out of Facebook email malware

The bottom falls out of Facebook email malware

Email claiming to come from FacebookSophosLabs has intercepted a malware attack that has been spammed out, pretending to be a notification about a Facebook friend’s sexy video.

Although you may think that as the emails are written in Spanish, they are unlikely to trick many non-speakers to click on the malicious link contained within.

However, an embedded thumbnail of a semi-naked young woman may be enough for many to venture further without thinking of the possible consequences.

I’ve edited the screenshot below because even after blurring and pixellating, it still looked really rather rude. Anyway, you can still see enough of the email to get the gist of what to look out for in your inbox.

Malicious Facebook email

Miiiii lindoooo!!! ahahahaha este videoo no se lo muestrezzz a nadiesss =$$$$ ziii ?? es solo para tiii!! porque ? yoooo te amoooo muxiiiisisisisizimoooo!!! me gusto muxo tu videooo te requiero montonezzzz!!!! porfiz cuando estez en..

This (very roughly) translates to:

Cutey! Ha ha ha.. don't show this video to anyone. It's only for you! Why? Because I love you! I liked your video a lot..

If you didn’t have your wits about you, you might be fooled into believing that you have accidentally found yourself caught between a sexy conversation between two latin lovers.

If you click on a link in the email, however, you are taken to a webpage that tries to download a file called Video_Multimedia.exe to your computer. Sophos intercepts that file as malware, identifying it as Troj/Agent-YGD.

TortoiseSVNCuriously, the executable file contains version information stolen from a legitimate application – TortoiseSVN, a client for Subversion, the Apache version control software.

Presumably the malware authors deliberately chose to steal information from a legitimate application in the hope that it would trick anti-virus scanners into believing that the file was safe.

It’s important to understand that these particular emails do not appear to have been sent via Facebook. Although they “borrow” Facebook’s logo and styling, they have been deliberately crafted to appear like a legitimate email notification from the social network.

If you’re on Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 190,000 people.