Wednesday, October 28, 2009


The FDIC spam campaign that we reported on yesterday in our story Fake FDIC Spam Campaign Spreads Zeus has already moved on to its next attack. Now its trying to steal your Facebook passwords in what appears at first glance to be a "traditional" phishing attack. (Please see the end of this article for an update on how this "phish" actually is another Zeus malware infection vector.)

The UAB Spam Data Mine has already received more than 250 copies of the new phishing email this morning, which claims:

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security.

Before you are able to use the new login system, you will be required to update your account.

Click (here) to update your account online now.

If you have any questions, reference our New User Guide

The Facebook Team

The email is fake, of course, and so are the websites they point to. So far we've identified 31 unique domain names registered by the criminal for use in this Facebook account.

The website looks like this:

UAB Malware Analyst Brian Tanner took the new Facebook Phish for a drive through the lab, and confirmed that this is NOT JUST A PHISH - in fact it might not be a traditional phish at all. Its actually a Zeus Bot installer, pointing at the same command & control site as yesterday's FDIC version of Zeus:

Clicking on the prompted "UpdateTool.exe" is the infection vector for Zeus. According to the VirusTotal Report for this malware, only 8 of 41 AV products are currently labelling this executable as malware.

File size: 105472 bytes
MD5 : 1198d2ddf09061fbfb70de423cde059f

Update 29OCT09 AM

Spam for this campaign is still coming fast and furious to the UAB Spam Data Mine. More than 200 fresh copies were received already this morning.

File size: 105984 bytes
MD5...: 6aad88ba4805b2daa4fc6106a5376065

VirusTotal report
for the current version is showing 9 of 41 detections.

Update - 01NOV2009

From October 27th until November 1st, we've seen 242 different domain names used by this campaign. Here are the ones that are currently live at this point in time (5:25 PM) --

Here is the full list . . .

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.