Wednesday, April 13, 2011

Facebook Support. Personal data has been changed!

There appears to be a new malicious email being sent out with the subject: "Facebook Support. Personal data has been changed! ID75300"

In a previous post I already explained a similar campaign:
Your FaceBook password has been changed


First of all, you would receive an email similar to this one:

Email claiming your personal data has been changed.


The email content is the following:

Dear user of FaceBook.

Your password is not safe! To secure your account the password has been changed automatically.

Attached document contains a new password to your account and detailed information about new security measures.

Thank you for your attention,
Administration of Facebook.


Your password from Facebook appears to be unsafe and you need to verify attached document to view your new login information. There is a file attached called "New_Password_NU44133.zip"

Inside the ZIP file you will find a file called New_Password.exe:


The file New_Password.exe is in fact not a Microsoft Word document, as you may suspect from the icon, but is in fact a malicious executable:

New_Password.exe
Result: 19/42 (45.2%)
MD5: 99a7cc6e674b94fbecef52f520c03dc3

The file also drops the following executable on the system:

aspimgr.exe
Result: 39/42 (92.9%)
MD5: 4531d9d75dab83c957122538b6fc92ba


The executable also tries to connect (called "phoning home") to download additional malware. However, at time of writing the URLs were offline.


Conclusion

If you receive emails like this, you should already be alerted:
"Why would Facebook send me an email my password has been changed ?"

The answer is simple: they don't. Whether you have Facebook or not, instantly delete the email and don't look back.


1 comment: