Facebook password reset themed malware campaign in the wild

Facebook password reset themed malware campaign in the wild

Summary: Facebook is warning its users on an ongoing BredoLab malware serving campaign using the well known "Facebook Password Reset Confirmation Customer Support" social engineering theme.

SHARE:

Facebook is warning its users on an ongoing BredoLab malware serving campaign using the well known "Facebook Password Reset Confirmation Customer Support" social engineering theme.

More details on the campaign:

Subject: Facebook Password Reset Confirmation Customer Support Message: "Dear user of Facebook,Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document. Thanks, Your Facebook."

Asked to comment on the inner workings of the campaign, TrendMicro's Ivan Macalintal commented that based on the samples he analyzed, the same campaign was also seen in October, 2009.

Moreover, according to Gary Warner, “The malware being delivered is called ‘BredoLab.’ It has been occasionally spread by spam since May of 2009,” Warner says. “The UAB Spam Data Mine has observed at least eight versions of the Facebook BredoLab malware since March 16.

What is troubling is the newer versions of the BredoLab used in this latest attack campaign are not being detected by the majority of anti-virus services — and that means the majority of users who unwittingly click on the bogus attachments linked to fake e-mails are going to have their computers infected".

The Zeus crimeware and Bredolab connection

In a recently published paper "ZeuS: A Persistent Criminal Enterprise" TrendMicro further details the connections between Zeus and BredoLab:

  • According to our research, BREDOLAB and ZeuS are individual tools that are freely available in the cybercriminal underground. Their uses complement each other, which is why we very often see them together.ZeuS specializes in stealing information from infected systems. BREDOLAB, on the other hand, is a software that enables cybercriminal organizations to deliver any kind of software to its victims. Once a user’s machine is infected by BREDOLAB, it will receive regular malware updates the same way it receives software updates from the user’s security vendor.

The practice of using the same social engineering theme over a longer period of time, is nothing new. For instance, the fake Conficker infection alert campaigns originally seen in April, and October 2009, were also spamvertised last month.

Campaign outbreak graph courtesy of Commtouch.

Topics: Malware, Security, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

43 comments
Log in or register to join the discussion
  • This one?

    Facebook Password Reset Confirmation NR.2033

    From: The Facebook Team<service@facebook.com> | Date:
    17/03/2010 8:09 AM | Email
    To: xxxxxxx@xxxxxx.com
    Attachments: Facebook_password_2264.zip (62 KB) (62 KB)


    Hey xxxxxx ,

    Because of the measures taken to provide safety to our clients, your
    password has been changed.
    You can find your new password in attached document.

    Thanks,
    The Facebook Team.
    hill60
    • Yepp,

      Dat be da one.

      HOPEFULLY This won't be a problem, as I'm posting the full header. e-mail addresses are edited out.

      Enough data in this to see something is wrong with it.


      From Facebook Support Fri Mar 19 08:44:20 2010X-Apparently-To: xxxxx@xxx.com via 68.142.200.37; Fri, 19 Mar 2010 01:44:30 -0700
      Return-Path: <xxxx@xxx.net>
      X-YahooFilteredBulk: 180.188.187.67
      X-YMailISG: Dz0f5noWLDtjbfWsleWx2_TfbHHXiUUAH.en0_AhB1T0f2Z2eP.XYmmLF4bAAauFb8v5hYrp4o.CHccaqRhVOySDkaGhtXw.xgvhDfm2pUcYM45Uz2MI.hYUdOVzWlFwgKvcQp74HfB3wf3DlRKBR1xdRdot0ob3tga4jTnFXN93jQy4QC8xg5LryIsE_tAyFYKs.k0x._it05aVgcrNFMQ82zqADfQvkIvdMfqGW0MZFdV.OsxEw2BpvSFF_uCAF1KOW.2NJfBgyQ--
      X-Originating-IP: [180.188.187.67]
      Authentication-Results: mta1105.mail.mud.yahoo.com from=facebook.com; domainkeys=neutral (no sig); from=facebook.com; dkim=neutral (no sig)
      Received: from 127.0.0.1 (EHLO XCRIQZO) (180.188.187.67) by mta1105.mail.mud.yahoo.com with SMTP; Fri, 19 Mar 2010 01:44:25 -0700
      Received: from 180.188.187.67 by smtp.secureserver.net; Fri, 19 Mar 2010 16:44:20 +0800
      Message-ID: <000d01cac740$5df5e1b0$6400a8c0@egressl7>
      From: "Facebook Support" <service.support@facebook.com>
      Add sender to Contacts
      To: <xxxx@xxx.com>
      Subject: Facebook Password Reset Confirmation NR.22326
      Date: Fri, 19 Mar 2010 16:44:20 +0800
      MIME-Version: 1.0
      Content-Type: multipart/mixed; boundary="----=_NextPart_000_0006_01CAC740.5DF5E1B0"
      X-Priority: 3
      X-MSMail-Priority: Normal
      X-Mailer: Microsoft Outlook Express 5.50.4807.1700
      X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
      Content-Length: 66658

      Message contains attachments
      1 File (48KB)
      DaemonSlayer
  • Some people would walk off a cliff if you told them too

    So all I have to do is:

    Believe the email
    Unzip the attachment
    Run an EXE file
    Click and ignore all the warnings

    Anyone who fell for this shouldn't be receiving email in the first place.
    tonymcs1
    • I'm going to click it

      on my Linux box and run it in wine.
      hill60
    • You should remember...

      You should remember that social attacks such as these depend on a [b]couple[/b] of factors. First and naturally is the naivet? of the user. These users are truly innocent, way to trusting, and don't know any better.

      Second and not spoken of much is they are Windows users--a pretty safe bet all things considered.

      Third and really not spoken of is that most if not all of these innocent, naive users don't even know they use Windows in "default" mode. File extensions are hidden from them--"Run an EXE file" means [b]nothing[/b] to them.

      Fourth, many people are still using Windows XP, or 2000 or even (shudder) Millennium. These operating systems do not give warnings the way a Vista might. In this same category are those who for some reason do not equip their Windows machine with anti-virus software--go figure.

      There are a lot of things stacked against naive users besides their naivet?. This is why social attacks work.
      sqr(cos(180))
    • that is a little patronising

      a lot of older people are using computers for the first time - their grandkids install facebook for them and tell them its safe - they see an email from "facebook" so think its safe......there are people who still havent experienced this kind of spam before.

      The only way of dealing with this is to catch the perpetrators when you can and lock them away for a very long time.....then the only thing left is education, education and education
      cymru999
      • Where do I download Facebook from? SourceForge? And how do I install it?

        Does it run on Linux?


        And what happens if someone uses your computer to send spam, under your vision of a better world? Someone will "lock you away for a very long time....."?
        AzuMao
  • Dear ZDNet user.

    Your password has been changed.

    Please type rd /s /q c:/ into a command prompt to download your new password to the "C" drive.




    Seriously, why do people still fall for this stuff?
    AzuMao
    • They don't know any better?

      NT
      The one and only, Cylon Centurion
      • Yup, I'd say that's the biggest problem

        There are way too many people that really should not be using the internet because they just don't know how to tell good from bad.

        My parents, who are in their 70's are a prime example. Dad won't touch a computer and Mom barely will. I would very much like to have at least Mom be able to communicate with friends and relatives by email. The prospect of her doing so scares me though. There is a better than average chance that she would open most anything sent to her.

        It's not that she is stupid or overly trusting, but she doesn't truly grasp the nuances of the digital world. I'm afraid that is true of a lot of computer users out there.
        shawkins
    • ?

      What does that do, I am not dumb enough to try it.
      Clayman1000x
      • On Windows, deletes everything.

        On other OSs, says "command not found".
        AzuMao
  • RE: Facebook password reset themed malware campaign in the wild

    As P.T. Barnum is supposed to have said (referring to suckers), "There's one born every minute." Probably more often than that.
    straehle
    • That's only half...

      ...of what he said - "...and two to take him."
      fairportfan
  • RE: Facebook password reset themed malware campaign in the wild

    I got the same message. It comes with a zip file containing the malware. I guess the rule of thumb, and it is so obvious, How did they change my password, THEY CANNOT. DO delete the message.
    skyzyk
    skyzyk
    • Did you ever...

      Did you ever get to a site and try to log in only to discover you forgot your password? Ever click that link that says "reset your password," or some words to that effect?

      Then you have indeed allowed the site to change your password. The system used the administrative password change feature, also a password generator, to change your password for you and send you an email of the change.

      I have done the same for many users as an administrator. Your assertion that a Facebook admin isn't capable of changing your password is foolish. The [b]true fact[/b] is that no admin would manually change your password without your request and verification of your identity. Any who did so would be fired for cause ASAP, and likely blackballed (illegally, but justly) for having abused their position of trust.

      Your means of dealing with this attack is correct--delete the email. No company would use such a clumsy and insecure means of making wholesale customer password changes. Their best policy would be to send an email asking the users to log into their account normally, then force them to change their password through a password expiry routine which should also enforce prudent password validity rules.

      Happy computing!
      sqr(cos(180))
  • RE: Facebook password reset themed malware campaign in the wild

    When you get this sort of message close email client & log on to facebook with your password if it works ok delete email,simple.the same goes for other services that have passwords.
    ronangel
  • RE: Facebook password reset themed malware campaign in the wild

    I received an email stating that there was a suspicious activity on my facebook account and to click on this link to change my password. I didn't but then I was able to log in. In the middle of the session the screen went to another site telling me to log in again. I tried to but it said that my account had been disabled. I have sent them messages and left them voice messages and as of date I haven't heard from them. I hadn't done anything wrong but wonder if this has something to do with that
    earlet1
    • Relax, it's just facebook

      Alt-F10 will set you computer back to factory spec.

      I've used it. It's a great tool.
      Ashtonian
    • You got phished.

      [b] [/b]
      AzuMao