Fake Facebook password reset leads to rogue AV

There is no stopping the abuse of social networking sites and an endless reign of social engineering tactics in email campaigns, be it spam or malicious.  Facebook seems to be a favourite for most attackers as it has a huge user base, and attackers are almost guaranteed to get their message propagated quickly.  

Websense customers are proactively protected against these threats by the real-time protection in our Advanced Classification Engine (ACE).  

This particular campaign is yet another rogue AV.  Here a user is presented with an email message which suggests opening the attached zip file, in order to retrieve a newly-created password due to supposed changes made to the user's Facebook account.  

The header details show the real source and origin of the email as the display name is the only relation to Facebook.

The zip file contains an icon for a PDF document, which is misleading as it is actually a Windows executable.  When the user double-clicks this downloader, a rogue AV application is downloaded and launched which scares the user into thinking their machine is infected.   

As a result of being scared into thinking their computer might have been infected, the user is lured into going ahead with the rogue AV's instructions to disinfect the machine. 

The installation carries out a series of scans with fake detections to make it more convincing to the user.  

The next stage offers the user the opportunity to remove the threats of the fake detections carried out by the rogue AV. 

When this is selected, the user is then presented with the alert that the rogue AV is not registered and to do so requires the user's credit card details. This is where the phishing for information takes place. 

Currently we have seen over 240,000 of these email messages through our Websense Hosted Email Security product, and according to VirusTotal about 65% of anti-virus products detect the file attachment.