Facebook-themed spam targets CEOs, steals passwords

Version imprimable, PDF et e-mail

by David Michmerhuizen – Security Researcher

The spam traps at Barracuda Labs have detected an ongoing malicious email campaign that leverages the Facebook brand and seems to targets CEOs, particularly fat ones.

Like many of the best spam emails, it is stark in its simplicity.  The body is HTML format which may not work for every mail viewer. For those that do, a single intriguing link is presented with the Facebook domain used in the link to make it look innocent.  Even if you're not a fat CEO yourself, who doesn't want to see what fat CEO is being referred to in the message?

Of course, the careful computer user will check the real destination of the link that is provided.   As the variant below shows, they are not the same.  Facebook isn't even involved.

Clicking on one of these links causes a set of exploits to be quietly delivered to the browser, primarily malicious PDF files.

While the browser is being exploited, some Facebook page (which may be real) is displayed to make it appear that your click had some actual purpose.

Sad to say, there is no CEO on this Facebook page at all, just an ugly cat.

As is so often the case with malware attacks, it's what you can't see that hurts you.  If one of the exploits finds a vulnerability to take advantage of, a version of Trojan.Zeus is downloaded.

This common family of malware inserts itself into the HTTP transmission chain and intercepts Web pages that contain user account and password information.  The trojan then sends that data back to a command and control server.    Zeus has been implicated in hundreds of cases of online bank account theft.   Even without the direct theft of banking credentials, the trojan can steal passwords for other online services which can then be tried against more lucrative targets.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall protected from these spam mailings, and  Barracuda Web Filters and the Barracuda Web Filtering Service block access to the linked malware.





Remonter en haut de page