Security researchers warn of infected emails carrying a variant of the Oficla trojan, which pose as new password notifications from Facebook.
The rogues emails can have different subjects, like "Facebook Service. Your password has been changed. ID309
", "Facebook Service. Your account is blocked. ID799
", "Facebook Support. Your password has been changed. ID991
" or "Facebook Support. A new password is sent to you. 920.
Their from field is spoofed and the alleged originating addresses rotate, email@example.com or firstname.lastname@example.org being two examples.
The body message is not very well formulated and should easily tip off native English speakers that it is not an official communication. It reads as following:
A spam is sent from your Facebook account.
Your password has been changed for safety.
Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.
Thank you for your attention,
The name of the attachment is Facebook_document_Nr59469.zip (where the number can vary) and the archive contains a malicious executable.
This file installs a variant of the Oficla trojan, which is commonly spread via fake emails purporting to come from legitimate companies.
Oficla, which is also known as Sasfis, serves as a distribution platforms for other malware - fake antivirus programs most of the time.
The good news is that this particular variant has a fairly good detection rate at the moment, especially across the most popular antivirus programs.According to
Belgian email security vendor MX Lab, the malware communicates with a .ru domain and downloads an additional executable from a third-party server.
Fake Facebook emails have been used to distribute malware in the past, but the theme of this campaign might have been inspired by a recent incident
where a bug in one of the site's systems led to numerous accounts being wrongfully suspended.