Malicious Emails Claim Facebook Passwords Were Reset

Security researchers warn that a new malware distribution campaign masquerading as Facebook password reset notification e-mails is making the rounds. The attached .ZIP archives contain a Trojan downloader, which is used to deploy scareware on the compromised systems.

The rogue emails have their From field spoofed in order to appear as they were sent from a service@facebook.com address. Their subject is “Facebook Password Reset Confirmation” and they come with an attached file called Facebook_Password_####.zip (where # is a random letter or digit).

“Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in the attached document,” the emails, allegedly signed by “The Facebook Team,” read.

Obviously, opening the attached file is not a good idea, as the archive contains the installer for a new version of the Bredolab Trojan. It is worth noting that the Bredolab authors are using this trojan as a deployment platform for other malware, in order to generate revenue.

In this case, it appears that they are collecting per-install fees from scareware pushers. “Upon execution, TROJ_BREDLAB.SMF connects to a malicious website and downloads a FAKEAV variant detected as TROJ_FAKEAV.BLV,” Maria Alarcon, anti-spam research engineer at Trend Micro, warns.

FakeAV, also known as scareware or rogueware, is a class of malicious programs which attempt to trick users into paying unnecessary license fees. It does this by falsely alerting users that their computers are infected and suggesting they acquire a registration code.

The password reset notification lure is not new. “Such emails have been successful already a few years ago. I thought we wouldn’t see them again as the people should already know not to execute attachments from emails they didn’t request. Anyhow, the recent spam waves teach us something else,” Dirk Knop, Avira’s technical editor, notes.

Cybercrooks have displayed an unusual tendency of digging up old tricks, which might suggest this strategy is working. Such an example are the similar contract of settlements fake emails that have recently been observed, a theme temporarily used back in November 2008.