More details on the campaign:
Subject: Facebook Password Reset Confirmation Customer Support Message: "Dear user of Facebook,Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document. Thanks, Your Facebook."
Asked to comment on the inner workings of the campaign, TrendMicro's Ivan Macalintal commented that based on the samples he analyzed, the same campaign was also seen in October, 2009.
Moreover, according to Gary Warner, “The malware being delivered is called ‘BredoLab.’ It has been occasionally spread by spam since May of 2009,” Warner says. “The UAB Spam Data Mine has observed at least eight versions of the Facebook BredoLab malware since March 16.
“What is troubling is the newer versions of the BredoLab used in this latest attack campaign are not being detected by the majority of anti-virus services — and that means the majority of users who unwittingly click on the bogus attachments linked to fake e-mails are going to have their computers infected".
The Zeus crimeware and Bredolab connection
In a recently published paper "ZeuS: A Persistent Criminal Enterprise" TrendMicro further details the connections between Zeus and BredoLab:
- According to our research, BREDOLAB and ZeuS are individual tools that are freely available in the cybercriminal underground. Their uses complement each other, which is why we very often see them together.ZeuS specializes in stealing information from infected systems. BREDOLAB, on the other hand, is a software that enables cybercriminal organizations to deliver any kind of software to its victims. Once a user’s machine is infected by BREDOLAB, it will receive regular malware updates the same way it receives software updates from the user’s security vendor.
The practice of using the same social engineering theme over a longer period of time, is nothing new. For instance, the fake Conficker infection alert campaigns originally seen in April, and October 2009, were also spamvertised last month.
Campaign outbreak graph courtesy of Commtouch.