Attackers are spamming out malware hidden within e-mails targeting Facebook issues.
The scam starts with an e-mail claiming to contain a password reset feature for Facebook. Instead, users who open the attachment are greeted by Bredolab, a Trojan downloader that installs other types of malware on infected computers. In this case, the first thing the malware downloads is a password stealer and rogue antivirus program, said Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham (UAB).
Warner said he has detected 17 new variants of the malware in the last 24 hours.
"The malware is constantly 'repacked'--which basically means that it's randomized in such a way that it can still run, but which gives it an entirely different [antivirus] signature," he said. "Signature-based AV has to then be updated before it can detect the new packing."
The body of the e-mail messages looks like this:
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
The Facebook Team.
The attachment is called "Facebook_details_<various numbers>.zip. According to a map provided here by McAfee, the campaign was heavily active this week in North America and Europe .
"To give you an idea of the scope of the run, it reached as high as No. 6 on our Global Virus Map's Top 10, which tracks consumer detections worldwide," noted Dave Marcus, McAfee's director of security research and communication, in a blog post Wednesday. "It even accounts for as much as 10 percent of the infected e-mail that our managed e-mail SAAS unit is seeing."
This is not the first time Bredolab has been linked to this type of scheme. In October, security researchers found a campaign using identical tactics. In that case, once Bredolab was on the machine, it connected to two servers to download additional malicious files, including Cutwail.
Facebook does not ask users to update their passwords in an e-mail. If users have questions about their password or wish to change it, they are advised to go to the Website directly.