January 30, 2011

"Facebook Profile Photos" malware on the run!

Ran Qiong

Websense Security Labs™ ThreatSeeker™ Network has detected another fake Facebook sites campaign, just 4 days after Websense warned of the Mark Zuckerberg Facebook Page Showing Rogue Comments hack. A malicious executable file appears on fake Facebook sites titled  "Facebook Profile Photos".  Websense customers have been protected against this attack with ACE, our Advanced Classification Engine. 

The attack posts messages on the wall of compromised Facebook accounts, and uses a previously-created counterfeit Facebook application to lure users' visits. 

The payload of the application site redirects to another malicious link: 


The malicious link then redirects users to a fake Facebook sign-in page to steal usernames and passwords: 


The compromised Facebook accounts are starting to send messages to their friends' accounts with fake applications sites and other malicious links such as  "Facebook Profile Photos" sites, further spreading the campaign.


The "Facebook Profile Photos" site is shown below: 


A piece of malicious code in the payload:


When a user clicks on the fake link, a dialog appears prompting them to download a file. At the time of writing this file had a low 2/42 malware detection as analyzed by Virus Total, and is now only detected by almost half of the AV engines. 


To protect yourself from malicious URL links and spam posts being made to your Facebook wall, try our free Defensio Facebook app.  You can download it from: http://defensio.com/.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.