Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
TRENDING TODAY
Home > News > Security

November 18th, 2010, 15:40 GMT · By

Infected Emails Pose as New Password Notifications from Facebook

SHARE:

Adjust text size:

Oficla spam masquerades as Facebook notifications
Enlarge picture
Security researchers warn of infected emails carrying a variant of the Oficla trojan, which pose as new password notifications from Facebook.

The rogues emails can have different subjects, like "Facebook Service. Your password has been changed. ID309", "Facebook Service. Your account is blocked. ID799", "Facebook Support. Your password has been changed. ID991" or "Facebook Support. A new password is sent  to you. 920."

Their from field is spoofed and the alleged originating addresses rotate, donotreply.nr.6170@facebook.com or customer.nr.678@facebook.com being two examples.

The body message is not very well formulated and should easily tip off native English speakers that it is not an official communication. It reads as following:

"Dear Customer!

A spam is sent from your Facebook account.
Your password has been changed for safety.

Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.

Thank you for your attention,
Facebook Service."

The name of the attachment is Facebook_document_Nr59469.zip (where the number can vary) and the archive contains a malicious executable.

This file installs a variant of the Oficla trojan, which is commonly spread via fake emails purporting to come from legitimate companies.

Oficla, which is also known as Sasfis, serves as a distribution platforms for other malware - fake antivirus programs most of the time.

The good news is that this particular variant has a fairly good detection rate at the moment, especially across the most popular antivirus programs.

According to Belgian email security vendor MX Lab, the malware communicates with a .ru domain and downloads an additional executable from a third-party server.

Fake Facebook emails have been used to distribute malware in the past, but the theme of this campaign might have been inspired by a recent incident where a bug in one of the site's systems led to numerous accounts being wrongfully suspended.


1,191 hits
Link to this article · Print article · Send to friend

MUST-READ RELATED ARTICLES:


Asprox Botnet Responsible for Oficla-Carrying Emails
New Wave of Fake Xerox WorkCentre Scan Emails Distribute Trojan
Infected DHL Emails Target Spanish Speakers
Fake United States Postal Service Emails Distribute Trojan Downloader
Spammers Impersonate Facebook Staff to Push Trojans

READER COMMENTS:



No user comments yet.
Be the first to express your opinion!
Copyright © 2001-2013 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2013 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use