Facebook has expanded its range of service offerings, making the site so much more than a place where users can interact with one another. It has been said several times that Facebook is bound to replace email as a means of communication, as it provides a more convenient way for users to send messages.
This convenience, however, was also leveraged by cybercriminals in a recent spam run wherein users were urged to download an application called Facebook Messenger. This would supposedly make it easier for them to access messages sent to their Facebook accounts.
The attack starts with spammed messages that look like a Facebook notification. The email message alerts the users about a message that has been sent to their Facebook accounts. It tells the users to click a link to view the said message. Clicking the message, however, displays a download page for an application called Facebook Messenger.
The downloaded file named FacebookMessengerSetup.exe is malicious and detected as BKDR_QUEJOB.EVL. BKDR_QUEJOB.EVL opens TCP port 1098 to listen for commands sent by a malicious attacker. The nature of the commands may include updating the malicious file, downloading and executing other malicious files, and starting certain processes. It also queries the system for information such as installed antivirus products and OS version then sends the data it gathers to a certain SMTP.
More Attacks Targeting Facebook Users
It seems like cybercriminals have their eyes particularly set on Facebook users these days, as this is not the only attack we’ve seen in the past couple of days.
In another spam run, recipients were told that their Facebook passwords were unsafe and that they should open an attached document, which contains their new passwords and information on how they can further secure their accounts. Ironically, the said document was actually a malware detected as TROJ_DOFOIL.VI.
We’ve also seen similar attacks to previously reported ones, which exploit the Facebook Events feature. This time, however, the social engineering lure used was yet another popular Facebook feature—Credits.
Users were notified of a supposed glitch in Facebook’s system that could be fixed by simply following a set of given instructions. Similar to the technique used in the Facebook Stalker Tracker attack, users were told to copy a piece of code and to paste it into their Web browser. Executing the said script results in the creation of an event and in the invitation of the affected users’ contacts to the said event. The “event” contains spammy information such as links to the Canadian Pharmacy.
The script used to create the spam event is now detected as JS_OBFUS.PB (now detected as JS_OBFUSCAT.SME.
Trend Micro product users are already protected from the above-mentioned threats through the Trend Micro™ Smart Protection Network™. Facebook users need to be aware that such schemes, among others, are very rampant on the network. Extreme caution before clicking links is strongly advised. Users may check out our comprehensive report, Spam, Scams, and Other Social Media Threats for more information.
Additional text and further analysis by Dhan Praga and Harry Reynoso