Alerts
Facebook "added friend confirmation" Malicious Spam
Date:11.05.2008
Threat Type: Malicious Web Site / Malicious Code
Websense® Security Labs™ ThreatSeeker™ Network has discovered another round of malicious Facebook messages. This campaign is another visual social-engineering spam campaign which tries to visually trick users into believing that the message is a legitimate added friend confirmation. The "From" address in the message is spoofed to make it look as if it was sent from Facebook, and the links look like they lead to Facebook.
Websense quotes in the 2008 Threat Predictions report have been based on facts. In our previous alert Facebook "add friend" Malicious Spam campaign, we saw spammers including a malicious zip attachment that claimed to contain a picture, to entice the recipient to double-click on it. From a spammer's perspective, the likelihood of attack success decreases when antivirus software picks up the attachment. If not picked up by antivirus software, then content learning technologies filter such messages and their attachments after receiving a certain volume of similar messages.
In order to maintain their attack over a longer time period with increased success rates, spammers have switched their tactics by including links to an external Web site. The use of external links in emails makes antivirus detection tougher, as not all antivirus software has the ability to scan or detect links included in email messages. Also, from a spammer's perspective, using links consisting of compromised ‘legitimate’ domains hosting malware as a lure increases the success rate, as this is more likely to bypass security filters that rely heavily on reputation services.
Websense Security Labs sees these tactics adopted by spammers and malware authors as an ongoing trend, increasingly targeting Web 2.0 sites to carry out a wide range of attacks.
Screenshot of the malicious Facebook message: 
From the above screenshot, it can be seen that the links in the message actually lead to a malicious executable named "update.exe" (SHA1: a4dc17d1bcb191af75afedddf60aecbc2af2a37f).
This malicious executable has a very low AV detection. When run, the malicious executable steals data from its victim, establishing a connection with an IRC botnet.
Screenshot showing the packet capture from a machine infected with "update.exe": 
Websense Messaging and Websense Web Security customers are protected against these threats.