Thursday, January 27, 2011

Your FaceBook password has been changed

... Or hasn't it ?

A recent spam campaign is spreading claming your Facebook password has been changed, and you need to open the document attached to view your new password.

You might think: "Why attach a document with the password in ? Why not just put it in the email ?"

The truth is of course is that your Facebook password hasn't been changed at all, it is the latest spam campaign trying to infect your computer.

I received the following email with subject:
Your facebook password has been changed. ID9049

Your Facebook password has been changed

Attached is a ZIP file called Included is the following file:

Facebook_Document.exe, seemingly a Word document

Does this look like a Word document ? Yes
Is it a Word document ? No
How can you tell ? By the .exe extension

Result: 35/43 (81.4%)
MD5: e354e01caea7c9e8171a0e839d5016b6
Anubis Report

Additionally, the file tries to connect to:

Domain Hash: 0d251df39c785768e0b9af27880fcc0f
Result: 6/18 (33 %)


If you receive emails like this, you should already be alerted:
"Why would Facebook send me an email my password is changed ?"

They don't. Whether you have Facebook or not, instantly delete the email. In this case, the file was zipped but there was no password.
If your email provider doesn't stop it, your Antivirus should. Keep everything up-to-date people !

I would like to add the blogpost Dancho Danchev made, it is the same spam campaign but with another subject and another malicious executable:

No comments:

Post a Comment