14 DAY TRIAL // Security researchers from Websense warn that a new round of spam emails carrying malicious attachments pose as password reset notifications sent by Facebook employees.
An example of such an email bears a subject of "Facebook Password Reset Confirmation" and its From field lists "Facebook Security-Manager, Sylvia Eary" as sender.
Compared to previous spam campaigns with a Facebook password reset theme, the contained message is well formulated and reads:
"Hey,
You have a requested a new password.
You can find your new password in attached file.
Please pay attention to the fact that this email has been sent to all contact emails connected to your account. If you did not request a new password, it's likely that another user has mistakenly attempted to log in with the help of your login.
For more information, check our Help Center at http://www.facebook.com/help/?topic=login
Thank you,
The Facebook Team"
It's worth noting the presence of a link to the Facebook Help Center, which was probably included to add credibility to the messages or because they were built based on a real Facebook email template.
The attached file is called FacebookDOCN######.zip (where # stands for a single digit) and according to Websense, it contains the same type of threat as a similar campaign, which circulated last week.
In that case, the distributed malware was a version of the Oficla trojan, which after execution, downloaded and installed a scareware application.
Oficla, which is also called Sasfis by some antivirus vendors, is a family of trojans commonly used as distribution platform for other threats.
Scareware pushers are amongst the top customers for such pay-per-install (PPI) schemes, because this model offers them with a good return on investment.
We're not sure what the conversion rate for scareware is, but a single scareware victim can generate a profit of over $50, which in turn can pay for the infection of just as many computers.
As usual, users are adivsed to excercise caution when opening email attachments, even if they appear to be legit. Scanning such files with online multi-antivirus-engine services like VirusTotal is always a good idea.
