This is hardly the first time cybercriminals used Facebook to spread spam and malware. As anti-spammers became vigilant with these techniques, these spammers keep up and think of different ways to spread dangerous links to malicious websites. Sample seen recently uses a revived technique: make the email look like it came from a trustworthy source (in this case Facebook), then insert random email addresses into the Reply-To field.
Figure 1. Facebook spam contains several links, the first one even looks safe to click. Hovering the mouse over the link reveals it is anything but safe.
The result: when a user hits the reply button, the mail will automatically include all the email addresses to the recipients field.
Figure 2. Several email addresses automatically populate the To field.
The Spanish text of the email message roughly translates to:
A user of Facebook to send you this message
The photos arrived you that send you before? because me not respondistes bue you the command debuelta by if the doubts are those of the partuza eye q be not enlivened your girlfriend ciao
Click on the link to view the content
Posted by: I can not say but I know
If you can not see the content properly click here
Clicking on any of the links will summon the following prompt:
Figure 3. The file offered is named strangely. Notice the long underscore.
Needless to say, the downloaded file is a malicious component, TROJ_DLOAD.AEY. It leads to a BANKER variants TROJ_BANKER.HIJ, which is now currently being analyzed. BANKER variants are notorious data-stealing malware targeting users with online bank accounts. Good thing Smart Protection Network recognizes threats before they ever arrive to the desktop, eliminating the risks to users who may encounter this spam-malware attack.