Application security, Malware, Phishing, Threat Management

Facebook scam email tries to spread Zeus bank trojan

Another email attack leveraging Facebook is pummeling inboxes this week, according to researchers.

This one tries to steal passwords and, even more concerning, spreads the insidious Zeus, or Zbot, trojan to victim machines, according to experts at email protection vendor AppRiver.

The phony messages claim that Facebook is deploying a new login system to offer users more features and security. Users are encouraged to click on a link, which purportedly takes them to a site where they can update their account.

The attackers, however, proceed to rip off users' Facebook passwords by tricking them into "logging in." If users follow the bait, they then are brought to a page that prompts them to install an "update tool," which actually is the Zeus trojan, a particularly harmful piece of malware that is known for stealing bank account information from its victims.

Engineers at AppRiver said that, as of Wednesday, the spammers had delivered about 1.65 million of these emails at a rate of 1,000 messages per minute per domain. The scam is slick in nature, they said.

"As we've come to expect from Zbot, the phishing email is well crafted and could easily trick the unsuspecting recipient into falling for its ruse," the blog post said. "The graphics are well done and all look like something you would see from Facebook."

According to Red Condor, another email security provider, the spoofed Facebook login page contains "" as part of the URL's sub domain.

"As a result, people with small screen resolution or small browser windows/address bar sizes might they think are actually on Facebook's login page," the company said in a statement. 

In an added twist, according to AppRiver, the attack also can spread to smartphones on which the Facebook application is installed. In those cases, the bogus email appears as an actual Facebook "notification," lending even more legitimacy.

This widespread wave of fraudulent emails comes soon after a separate campaign this week in which recipients were tricked into believing their Facebook password had been reset. They were encouraged to click on an attachment to view their new password. However, that file actually contained a poorly detected executable -- Packed.Win32.Krap.W --  that installs additional malware on the victim's computer and enlists it as part of the Bredolab botnet.

Researchers at messaging security provider Cloudmark have witnessed more than 735,000 instances of the message since Monday.

Facebook spokesman Simon Axten told on Thursday that users should be wary of suspicious or unexpected emails claiming to come from Facebook, and they should never open questionable attachments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.