Sponsored by..

Tuesday 26 November 2013

"You requested a new Facebook password!" spam / Recoverypassword.zip and Facebook-SecureMessage.exe

This fake Facebook message comes with a malicious attachment:

Date:      Tue, 26 Nov 2013 04:58:18 +0300 [11/25/13 20:58:18 EST]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password!


You have received a secure message. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

Read your secure message by opening the attachment, Facebook-SecureMessage.zip.

Didn't request this change?
If you didn't request a new password, let us know immediately.

This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The attachment is Recoverypassword.zip which in turn contains a malicious executable Facebook-SecureMessage.exe which has a VirusTotal detection rate of 16/42. Automated analysis tools [1] [2] [3] shows attempted connections to developmentinn.com on (Cogent, US) and spotopia.com on (Enzu, US). Note that the servers on those IPs host dozens of legitimate sites and I cannot say for certain if they are all compromised or note.

No comments: