Virus warning: Someone tagged or added a photo of you on Facebook

Virus warning: Someone tagged or added a photo of you on Facebook

Summary: Scammers are spamming a new e-mail that claims you were tagged in a photo added on the social network. The e-mail includes a link to a webpage that uses the Blackhole exploit kit to put malware onto your computer, before quietly redirecting you to a Facebook profile as if nothing was amiss.

TOPICS: Security, Malware
Virus warning: Someone tagged or added a photo of you on Facebook

Scammers are sending out e-mails saying that someone has added a photo of you and tagged you in it on Facebook. The spam comes with a link that tries to install malware on your computer.

Sophos, which first spotted the attack, detects the malware as "Troj/JSRedir-HW." The security firm provided the following sample e-mail (screenshot above):

Subject: Christine McLain Gibbs tagged a photo of you on Facebook
From: Facebook <>
Christine McLain Gibbs added a photo of you.
See Photo / Go to Notifications
If you don't want to receive these emails from Facebook in the future, please click unsubscribe.
Facebook, In. Attention: Deparmtent 415 P.O Box 10005 Palo Alto CA 94303

Notice the e-mail address: "" Facebook is intentionally misspelled as "Faceboook" with three Os. If you click on the link in the e-mail, you are not taken to Facebook but to a website hosting a malicious iFrame script which takes advantage of the Blackhole exploit kit. To cover up what just happened, however, four seconds later your browser is taken via a META redirect to a Facebook profile of a presumably entirely innocent individual.

As a general word of caution, don't open attachments in e-mails or click on links in them unless you are absolutely certain that the sender is who you think you are. If you want to warn Facebook about this scam, feel free to contact Facebook Security.

See also:

Topics: Security, Malware

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Not only in Facebook...

    I've been getting the same lately, from professional social site LinkedIn. Basically, users I've never met before "have started to message me". Actually, the links included actually point to other domains (one I got pointed to
    • LinkedIn fake emails

      I recently got an email from "LinkedIn" saying it added my FB account. On closer examination, the links in the message pointed to (notice, when in uppercase it's LINKEDLN.COM, but as presented it would be easy to overlook).

      What made me double-check the links was the email was sent to the address I used to initially create my FB account, but I have since disconnected that address from FB...
  • "don't open attachments in e-mails or click on links in them unless..."

    "don't open attachments in e-mails or click on links in them unless you are absolutely certain that the sender is who you think..."

    That's good advice, except it's impossible to do. You can almost never be certain.
    Spatha Spatula
  • What I do with social media emails

    I have been getting the same crap on a daily basis. I simply look at the source code to see if it in fact is coming from FB or from a scamming/spamming entity. The very first time I got one of these I clicked through and unfortunately it was a rigged site that did something extraordinary to my MacBook Pro laptop.

    Weeks after the click through and realizing I was at a malware distribution point I got out as quickly as I could and thought I was okay. Weeks later my laptop began to overheat. after doing all sorts of things from opening the laptop and cleaning out any and all dust to monitoring the temperature to tinkering with the fan speed.

    I was less than a week ago that I went to the system activity monitor and I immediately discovered what was causing the overheating problem. The malware apparently started to activate my NETserver and likely turned my machine into part of their botnet. Coincidently I kept getting this pop-up saying RealPlayer was trying to download something. I think the two events might have been connected as after I took everything tied to RealPlayer off the machine the switching on of NETserver stopped.
    • correction

      I recognized I was at a rigged site immediately.

      It was weeks later that the overheating began.
  • The "From" line can't be trusted

    Emil suggests that the misspelling of "faceboook" on the "From" line gives away that the message is phony. Maybe so, but the converse does not follow. The spammer could have just as easily spelled "facebook" correctly, and that would not have proven the legitimacy of the e-mail. In fact, a spammer can spoof any address he wants on the "From" line of an e-mail. Recipients should never trust the "From" line as proof of a message's actual origins.
    • Correct.

      Check the from line for anything suspicious, but even if it looks fine, don't trust it.
  • emails from facebook

    i have a facebook account but i consider ALL emails from facebook to be spam and NEVER EVER open any - i simply delete all on a daily basis. For as long as i can remember i have had one simple rule as far as emails are concerned: if i dont know the sender, the email is headed to the bin immediately - no ifs or buts, subject line is irrelevant. (and i never use the view pane in my email client)
  • Fake Emails From Facebook!

    I think everybody should check out the Scam Detector app. I believe they're online as well.