New type of phishing attack using tabs

Aza Raskin from the Mozilla Firefox team found a pretty interesting new type of phishing attack that uses automatic change of favicon icon to make one of your tabs look like another web site.

The attack goes like this:

1. A user navigates to your normal looking site.
2. You detect when the page has lost its focus and hasn’t been interacted with for a while.
3. Replace the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.
4. As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.
5. After the user has enter they have entered their login information and sent it back your your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.

Video showcasing the attack:

A New Type of Phishing Attack from Aza Raskin on Vimeo.

Proof of concept is available over here. Note that this is the blog post about the issue, but the page changes into fake Gmail.

BitDefender impersonated by rogue antivirus

BitDefender has detected a new rogue antivirus utility that attempts to trick users into installing it by posing as a BitDefender product. Suggestively named ByteDefender, the malicious application acts like a fully-fledged rogue antivirus with a twist.

Unlike average rogue AV products, the ByteDefender sibling does not rely on the classic drive-by method used by most products of its kind, but rather piggybacks on the popularity of the BitDefender products and their distinct visual identity to lure users into voluntarily downloading it.

The website distributing it is located at hxxp://www.bytedefender.in (URL specifically invalidated to avoid accidental infection) and abusively built using the BitDefender layout. The domain name has been registered in Ukraine. Even the boxshots have been crafted in such a manner to trick the user into thinking that they are installing the genuine security product.

The infection scenario is simple, yet efficient: the user looking for a BitDefender product may typo-squat the genuine address and gets redirected to the malicious webpage. Because of the similar webpage structure, the user may download and install the rogue AV.

Read here for a more detailed report with screenshots.

IBM accidentally includes on USB drive at AusCERT 2010

IBM accidentally distributed some infected USB sticks that contained a Keylogger agent (which can infect via USB flash drives). IBM may have contracted these drives with their logo to another manufacturer and may not be even be responsible. The key point is that even with media from highly reputable companies, there is a need for AV protection at all times and also users who were up-to-date on Microsoft Security patches would also be well protected. Accidents can always happen in addition to direct attacks.

Conficker Worm - IBM accidentally includes on USB drive at AusCERT2010
http://www.itnews.com.au/News/175451,ibm-unleashes-virus-on-auscert-delegates.aspx
http://www.zdnet.com/blog/security/malware-infected-usb-drives-distributed-at-security-conference/1173

QUOTE: "At the AusCERT conference this week, you may have collected a complimentary USB key from the IBM booth," IBM Australia chief technologist Glenn Wightwick wrote in an email to delegates this afternoon. "Unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected."

IBM said in a statement that a "small number of IBM-branded USB sticks distributed to delegates at the recent AusCERT2010 conference were found to contain malware". "IBM has immediately contacted delegates with remedial advice, and regrets any inconvenience that may have been caused," an IBM spokesman said.

Social networking sites passing on user data to ad agencies

Several social networking sites - including Facebook and MySpace - have apparently been sending users' data to advertising agencies - in spite of all the assurances and promises that this information is not shared with anyone without having previously asked the users for consent and receiving a thumbs-up.

The Wall Street Journal maintains that it has discovered the concealed practice of the social networks of sending users' ID numbers and/or names to the agencies every time the users click on the ads, but that Facebook and MySpace have reacted expeditiously to the questions about it and have already changed much of the code that allowed this practice.

The problem with the advertising agencies being given this information is that they could use it to mine other personal data from the profiles of those users, if they shared it with the network and if the privacy settings are set to minimum. The advertising agencies in question - including Yahoo's Right Media and Google's DoubleClick - claim that they haven't used the data because they didn't know the data was being sent in the first place.

It seems that the sending of this data could have occurred by mistake or simply by disregarding the fact that the address of the page from which someone clicked on an ad - if that page is of a social network - could contain user names or ID numbers. In an ideal world, this information should be obscured.

The question now raised is this one: "Haven't the social-networking sites been violating their own privacy policies and industry standards?"

Digg, LiveJournal, Hi5, Xanga and Twitter have also been caught sending the information. The Wall Street Journal asked Ben Edelman, an assistant professor at Harvard Business School and a connoisseur of Internet advertising, to have a look at the code of all the 7 sites in question. He confirmed their suspicions and even alerted the FTC to the offending practice, petitioning for a deeper investigation.

Incidentally, this is not the first time this issue has arisen. Researchers from AT&T Labs and Worcester Polytechnic Institute discovered the practice and published a paper about it last year in August. They even notified the sites in question of their discovery, but nine months later, the issue still exists. It's obvious, then, that the we-didn't-know-about-it excuse can't work.

When contacted about it, they offered the following explanations.

Facebook - "We fixed this case as soon as we heard about it." They are also experimenting on changing the formatting for the text of the address so that no identifiable information is passed on.

MySpace, Hi5, Digg, Xanga and Live Journal say that since their users aren't required to use their real names, they don't regard IDs and user names as relevant or personally identifiable. But still, MySpace is working on a method to obfuscate this information, and Digg scrambles the data before sending it on.

So, time to consider reviewing the REAL information that you have put up in your social networking profile?

New Twitter Worm Abuses iPhone App News

Twitter's new iPhone app is being used as a lure for a new worm attack that ultimately steals a victim's financial credentials.

The attack abuses Twitter trending topics -- a popular source of abuse -- but with a twist: Rather than installing fake antivirus software like most similar attacks, it installs a new banking Trojan that steals online banking accounts, credit card PIN numbers, and online payment system passwords, according to Kaspersky Lab.

Dmitry Bestuzhev, senior antivirus researcher at Kaspersky Lab, says the attack injects malicious tweets from the attackers' own malicious Twitter profiles. Tweets include the words "Official Twitter App," which was No. 7 of the Top 10 trending topics on Twitter. In one case, the tweet includes a link to a "video" purportedly of the Olympic mascot. "I saw a lot of people retweeting this news several times without even checking the source," Bestuzhev says. "The victims who clicked on the links were forced to open a Web page with a malicious Java archive file on it. This one downloaded and installed the Trojan banker to the victim machine."

The aggressive Trojan also disables Windows Task Manager, regedit, and notifications from Windows Security Center as a way to avoid detection. "From the moment the malicious code was active and running, if the victims opened their online bank account, made an online payment with a credit card, or by PayPal, eBay, or any other online payment system, all sensitive information was stolen and sent as encrypted information to the criminals," Bestuzhev says. The Trojan can also spread via USB devices.

Kaspersky Lab discovered the Trojan worm copies itself onto the infected system with the name "Live Messenger," and it can check whether the hard drive is virtualized. If it is, the malware won't run. The anti-malware firm calls the Trojan "Worm.Win32.VBNA.b."

Researchers at PandaLabs also have spotted the Trojan attack and blogged about it here.

Interestingly, while the attackers have the ability to take over an infected Twitter account and send malicious tweets to the victim's followers, so far they don't appear to be doing so. "They just used several recently created Twitter accounts with few followers," Bestuzhev says. But they have the capability to steal the victims' Twitter account credentials, as well, with this attack, he says.

So who's behind the attack? Bestuzhev says it appears to be coming out of Latin America -- namely, Brazil -- unlike many of the rogue AV campaigns, which typically originate in Russian-speaking countries. He posted a blog on the attack here yesterday.

Critical Facebook bug exposes sensitive information

Yet another Facebook privacy bug has been discovered - this time by M.J. Keith, a senior security analyst with AlertLogic.

The bug in question makes it possible for an attacker to access the account of a user and modify its content - if the user is duped into clicking on a link that leads to malicious Web site containing the Javascript code that exploits the cross-site request forgery flaw.

According to the security advisory released on Wednesday by AlertLogic, the bug was spotted last week, and Facebook has been notified of it immediately. Three days later the social network confirms it has fixed it, but additional testing executed yesterday by Keith show that the bug is still present.

IDG News reports that Keith had created a simple Web page containing an invisible iFrame, and when they clicked on the page while being logged into Facebook, they have automatically "liked" several pages.

When you think about it - "liking" pages you normally wouldn't could be a big deal if your account is public and the pages in question are embarrassing enough to make your boss think about firing you or friends wondering if they really know you. The attacker reading and misusing you personal information and making that information public (if it isn't) could also lead to a heap of trouble.

So think twice again, before you "Like" that page.

Majority Of Browsers Leave Fingerprints Online

The majority of web browsers have unique signatures that create identifiable "fingerprints" that could be used to track Internet users as they surf, according to new research from the Electronic Frontier Foundation (EFF).

The findings were the result of an experiment EFF conducted with volunteers who visited the EFF's Panopticlick website.

The website anonymously logged the configuration and version information from each participant's operating system, browser, and browser plug-ins -- information that websites routinely access each time you visit -- and compared that information to a database of configurations collected from almost a million other visitors. EFF found that 84% of the configuration combinations were unique and identifiable, creating unique and identifiable browser "fingerprints." Browsers with Adobe Flash or Java plug-ins installed were 94% unique and trackable.

"We took measures to keep participants in our experiment anonymous, but most sites don't do that," said EFF Senior Staff Technologist Peter Eckersley.

"In fact, several companies are already selling products that claim to use browser fingerprinting to help websites identify users and their online activities. This experiment is an important reality check, showing just how powerful these tracking mechanisms are."

EFF found that some browsers were less likely to contain unique configurations, including those that block JavaScript, and some browser plug-ins may be able to be configured to limit the information a browser shares with the websites users visit. But overall, it is difficult to reconfigure your browser to make it less identifiable. The best solution for web users may be to insist that new privacy protections be built into the browsers themselves.

"Browser fingerprinting is a powerful technique, and fingerprints must be considered alongside cookies and IP addresses when we discuss web privacy and user trackability," said Eckersely.

"We hope that browser developers will work to reduce these privacy risks in future versions of their code."

Laptop theft exposes data on 207,000 army reservists

Personal data on 207,000 U.S. army reservists has recently been stolen along with three laptops from the offices of a government contractor (Serco Inc.). The U.S. Army Reserve Command has begun notifying the reservists of this security fail via letters that offer apologies and assurances that "something" will be done to prevent these things from happening again:

"At a minimum, we will be providing additional training to personnel to ensure that they understand that personally identifiable information must at all times be treated in a manner that preserves and protects the confidentiality of the data," it says in the letter.

According to Brian Krebs, the data in question was held on a CD-Rom that was in one of the laptops at the time the theft occurred, and encompasses names, addresses and Social Security numbers of the reservists. It is also likely it contained some data that belongs to spouses and dependents of the reservists.

Col. Jonathan Dahms, PR for the Army Reserve, said that the Army will be taking steps to assure that the identities of reservists whose data was stolen were protected, but hasn't elaborated on what those steps may be.

The questions that beg to be asked: "Don't government contractors have an obligation to keep the data encrypted? If not, why?"

Email Attack Targets HR Departments

The global recession has brought a shortage of jobs, but job seekers are not the only ones who are targeted by malicious emails and scams.

A targeted attack aimed at human resources departments and hiring managers in the U.S. and Europe was spotted this week -- and sent 250,000 emails during a four-hour period yesterday at the height of the assault.

TrendLabs has recently spotted an email spam campaign that contains just one line of text:

The Resume_document_589.zip file attached to the message is supposed to be the CV in question, but is actually a zipped-up malicious .exe file that drops a Trojan downloader into the victim's system.

The attack had morphed today, with a modified binary, and a different subject line and email message. The theme was the same, though: a prospective application with a CV attached. A CV campaign is still ongoing right now [as of 5:30 UK time], sending to hundreds of thousands of recipients.

Most users and especially HR managers wouldn't be fooled into opening the attachment, but for those who are not familiar with this type of spam, the curiosity might prove too much.

It is good to remember that unsolicited emails should be carefully analyzed - if you're not expecting such an email, and you don't recognize the sender's name or email address, it is best to pass up on opening attachments or following embedded links.

XP (SP2) support ends July 13

If you’ve been squeezing the last bit of value out of that installation of Windows XP Service Pack 2 or are continuing to run it because of proprietary software that you’re squeezing the last bit of value out of, well, you only have two more months of squeezing.

Microsoft will end support for Service Pack 2 on July 13.

Now if you can somehow upgrade to Service Pack 3, you can forget about the problem until Microsoft’s Extended Support for XP ends April 8, 2014, assuming the hard drive in that PC you bought in 2001 lasts that long. Meanwhile, I wouldn't slack off on the backups.

And, no, July 13 isn’t on a Friday.

Support for Windows XP Service Pack 2 ends on July 13, 2010

Microsoft's page on this is here.

Flaw Found With Facebook Instant Personalization Service

It may once again be time to go over your Facebook profile and make sure nothing too personal is written there. In addition to untrustworthy acquaintances and outright scammers, users now apparently have to worry about security holes introduced by the new "instant personalization" program.

As reported by Jason Kincaid, "Web security consultant George Deglin discovered an exploit that would allow a malicious site to immediately harvest a Facebook user's name, email, and data shared with 'everyone' on Facebook, with no action required on the user's part."

This was possible because Facebook's granted Yelp (along with Pandora and Docs.com) automatic access to its data. Malicious sites could take enough information to imitate a user, feed the info to the correct API, and learn a ton of personal facts for free, then.

And even though Facebook and Yelp were quick to correct the problem, Kincaid wrote, "[T]his is unsettling nonetheless. Instant Personalization has only been around for a few weeks on a mere three sites, and one of them has already had issues. Given how common XSS vulnerabilities are, if Facebook expands the program we can likely expect similar exploits."

It's hard to believe the average user will tolerate many more mistakes like this; even if very few people actually abandon Facebook, it's possible we'll see some protests and boycotts for the sake of privacy and security.

Anti-Phishing Phyllis training game

Are you concerned about your users disclosing sensitive information in response to increasingly sophisticated spear phishing emails?

Wombat Security Technologies announced the release of Anti-Phishing Phyllis, a training game to teach employees and customers how to spot fraudulent emails.

In this training game, users help a fun fish character named Phyllis teach her school of fish how to avoid phishing traps in fraudulent emails. Traps covered in the game include fake links, malicious attachments, cash prizes, “respond-to” emails asking for sensitive information and much more.

Users are given a limited amount of time to analyze each email and spot traps. As they play the game, they are given feedback on the phishing traps they miss and learn to better protect themselves.

The game comes with an extensive collection of randomized legitimate and fraudulent emails, so users can play the game multiple times without seeing the same messages. In just a little over 10 minutes, users proceed through a succession of three rounds, with each round introducing new tips and teaching them how to fend off dangerous email attacks.

Phyllis has been built to support easy deployment and customization. Training emails can also be customized to reflect the types of phishing attacks an organization’s employees or customers are most likely to receive. These emails may pretend to be from the IT department asking for verification of employees’ passwords, a co-worker tempting them to download a picture of an animated singing hamster, or perhaps the IRS asking for their account information to issue a tax refund.

FacebookDigits phishing scam

Facebook users have lately been targeted lately by a clever phishing scam. The phishing website, whose looks evoke those of the social network, is trying to convince potential victims that they can now take advantage of a service that will allow them to get a "Facebook phone number":

The service also offers rewords (free calls and text messages) for those users that invite their friends.

Unfortunately for the victims, the website's only function is to harvest their Facebook credentials. The website was reported to be a web forgery and has been blocked.

WordPress users under attack

WordPress-based websites have once again become the target of attacks. This time around, the hacked websites are hosted by various ISPs: DreamHost, GoDaddy, Media Temple and Bluehost, and there are also rumors floating around that other PHP-based platforms could also have been affected.

The H Security reports that it is still unknown which security hole has been exploited to launch the attack, which infects the websites with malicious scripts that allow fake AV to be installed on the systems of people who visit the sites in question. To avoid detection, the malware prevents some browsers (Firefox and Google Chrome) from alerting potential visitors about the malicious nature of the website.

Speculations about the possible invulnerability of the sites running the latest version of WordPress have been shot down by David Dede at Sucuri Security's blog, who offers a few likely theories about how the sites were compromised:

• Stolen FTP/WP password
• Bug on Wordpress
• Bug on some Wordpress plugin
• Brute force attack against the passwords.

He also offers a simple cleanup solution for the owners of infected websites.

A similar attack has been detected today on websites hosted by Go Daddy. WPSecurityLock has received a statement from the IPS, in which it says that "they have identified and are working with the provider and hosting company from where the attacks are originating" and that they are "close to breaking additional details related to recent malware attacks."

Twitter gain-more-followers scam

It seems that many Twitter users are desperate for additional followers, and they are willing to take offered shortcuts to achieve that goal.

Enter the bogus gain-more-followers services. Hosted on domains like obtainmorefollowers.com, moretwitterfollowers.com, purchasetwitterfriends.com, and similar, they offer to add a certain amount of followers to your account, sometimes even for a fee:

In order for "them" to effect the changes, you are asked for your Twitter username and password. If you don't know it by now, giving up your credentials to any online account to third-party websites is not a good idea.

In this case, your account can be hijacked and used for spamvertising - that is, you will be promoting the service on your account and be responsible for duping some of your followers. You're lucky if you haven't lost any money in the process and the password isn't changed, so you can change it yourself and shut out the spammers/scammers.

As Graham Cluley says, you're better off examining the things you say and finding a way to make your tweets more interesting, that using suspicious services that could - and will - compromise your account.

Windows 7 Compatibility Checker turns out to be a Trojan

A deceptive "help" message invites recipients to check their PCs’ compatibility with Windows 7 by downloading and running an altered version of the Windows 7 Upgrade Advisor concealing a Trojan.

Cybercriminals are well known for their predilection to spot and bank on people’s interest in what’s hot in the e-world. Operating systems and their latest developments are classic honey pots and it is practically impossible to miss their potential as baits for illicit gains.

With Windows 7 reaching general retail availability on October 2009, it was just a matter of time before malware creators rose to the occasion, and exploited users ‘eagerness to install it on their PCs.

This kind of success stories cannot exclusively rely on sheer luck, so a little bit of planning is mandatory. Here’s how the plot line goes this time: a “disinterested helping hand” type of e-mail reaches Windows users’ inboxes and recommends that they download the Windows 7 Upgrade Advisor Setup. This piece of software supposedly allows them to see if their system resources could support the new OS. All they have to do is open the attached .zip file.

Instead of the promised compatibility checking tool, the zip file hides Trojan.Generic.3783603. This piece of malware contains malicious software which it drops and installs on the system. Frequently, it installs a backdoor which allows remote, clandestine access to the infected system. This backdoor may then be used to upload and install additional malicious or potentially unwanted software on the captured system.

The infection rates reflected by the BitDefender Real-Time Virus Reporting System indicates the beginning of a massive spreading of the Trojan. Although this phenomenon has just started, it seems that it’s just a matter of time before the cybercriminals control a huge number of systems. Infection rates are also expected to boom because of the effective social engineering ingredient of this mechanism, namely the reference to the popular Windows OS.

In order to stay safe, BitDefender recommends that you never open the attachments coming from unknown contacts and that you install and update a complete anti-malware software solution. To always stay on the safe side of things, make sure you download the software you need from the official vendor’s website.

New Facebook bug adds unauthorized apps to your profile

Just a few days after the bug that let users see their friends' personal chats, another Facebook bug has been discovered yesterday, and this one was adding applications to your Facebook profile without your knowledge or authorization. If you surf to sites that have Facebook integration while you are logged in to Facebook, chances are your profile has had a few of those added.

Facebook spokesman David Swain said to Macworld that the bug has been fixed and that no information was shared with those applications, but it remains to be seen if Facebook will notify every user - since the only way to remove these unauthorized applications is to do it manually.

Also, the question is: do you trust Facebook when it tells you that no information was shared? How would you know if it was?

To remove the unauthorized applications, go to your Facebook Account details (top right corner), select the Application Settings option from the drop-down menu and delete unwanted applications by clicking on the "X" mark. I would also recommend editing the settings for those applications you want to keep using - browse through them and see what you want to share with whom and what do you permit the application to do.

These latest privacy changes have wreaked havoc on Facebook, so this is the right time to consider which information could be too sensitive to be provided in your account.

Sunbelt begins daily webinar demos

Sunbelt Software has begun offering live webinar demos of VIPRE® Enterprise Premium 4.0 weekdays at 4 p.m. Presentations will include:

-- features and functionality
-- tips and best practices for configuration
-- LIVE answers to your questions from our Support team.

VIPRE Enterprise Premium 4.0 combines antivirus, antispyware, client firewall and malicious website filtering technologies in a single agent that protects against the ever-changing wave of malware in the most comprehensive, efficient manner.

Register here: http://www.sunbeltsoftware.com/Daily-Webinars/

Don't be fooled by Facebook Hack website

There are all sorts of ways for dubious characters to generate some cash for themselves – some will offer up fake hacking programs that require you to fill in a survey to download their worthless application, while others will go down the tried and tested method of infecting your PC then popping endless promos and deals that make them affiliate cash.

This one does away with all of that, combining some barefaced cheek with a completely useless website designed to make the end-user click things until their hands fall off. The URL is applehack(dot)webs(dot)com/fbhack

Is this the part where I start to pull out screenshots? You bet:

As you can see, the site claims it'll hack whatever Facebook account you care to suggest. Simply enter the Username of the victim, hit the Hack button and then...you see the below message, which is possibly the cheekiest piece of fibbing I’ve seen in some time:


Yes, that really does tell you to wait around for thirty minutes while clicking every advert you can get your hands on. Thanks to some coding which continually loops a fresh advert every time you click (along with a neverending stream of popups outside of the main browser window), you may find your desktop starts to look like somebody gave it one too many energy drinks:

All those browser windows, and I didn’t even have to install any Adware – how very retro. Anyway, you can rest assured that simply entering a Facebook Username into this site is not going to give you access, so don’t be tempted – you’ll just end up generating lots of money for someone with a cheaply thrown together fakeout.

Demo on how Facebook account credentials theft works

When you use a computer other than your own, you have to be especially careful about what online accounts you access - particularly if the computer in question is in a library or an Internet cafe, where a lot of people can use it without raising suspicion and without having to give their personal information to do it.

A recent episode that a Sunbelt researcher was the protagonist of demonstrates how easily your Facebook account credentials can be stolen.

He was at his local library and noticed that one of the computers available for use had a flash drive sticking out of its ports. His curiosity aroused, he sat down and checked the contents of the drive and found an executable that sports an icon similar to the original Facebook logo and purports to be a "FaceBook Remote Viewer" that allows you to visit Facebook from school or work by avoiding firewalls.

When executed, the user is faced with this screen:

As the program loads, a website with a (grammatically flawed) description also loads in the background, as a way to defuse any skepticism that the user might have.

The program eventually asks the user to enter his or hers name, email and Facebook password, and seemingly proceeds with the log-in and loading process, but "fails" and shows the following screen:

Of course, the firewall is not the problem - the program wasn't designed to allow you to access Facebook. It is a information-stealing Trojan that collects your credentials, which are now conveniently stored in a .txt file placed on the flash drive.

The only thing left for the thief to do is to reclaim their flashdrive, take it home and do various horrible things to the stolen accounts.

Always be careful when logging into services at libraries, webcafes, school and work – your alarm bells should be ringing loud and clear whenever you see a flashdrive poking out of a public computer.

To view the full demo with more detailed screen shots, read here.

Fake Amazon "Deal of the Day" emails doing rounds

Fake Amazon newsletters have lately become regular visitors in inboxes around the world, says Trend Micro.

With "Amazon.com Deal of the Day" in the subject line, coming from seemingly legitimate Amazon email addresses, and looking a lot like legitimate newsletters with product endorsements coming from the online retail giant, the spam campaign was probably pretty successful.

A click on any image or link embedded into the email would lead the victim to a possibly malicious site.

According to the various entires on Amazon's forum, similar messages that contained endorsements for Viagra and other pharmaceuticals instead of items on sale at Amazon. A quick roll-over over the links with the mouse revealed all of them to be directed to a Russian domain.

As one of the forum visitors commented, the problem with this kind of email is that the text is the same as in the legitimate Amazon emails, so if she labels it as spam, her email filter will block every future Amazon email of this kind.

Trojan disguised as a toolbar for Facebook

A Facebook toolbar is just what you need to make your sharing and connecting with friends easier, says in an email supposedly coming from "Facebook.com":

If you decide to click on the download link, the downloaded file ("toolbar.exe") will present itself with an icon of a black ball with "darkSector" written on it. That should be enough to raise suspicion, and a look at the file properties should be in order:

Sure enough, the properties reveal a positive jumble of information that has no connection whatsoever to Facebook (HijackThis is a well-known piece of security software from Trend Micro).

But, even if you wanted to download HijackThis, this isn't it. Symantec detects the file as a dropper Trojan, and recommends everyone to take this simple little step to check every file that looks suspicious for any reason and whose provenience you doubt - oftentimes, the attackers won't even bother to properly disguise the file they are sending, or will do it badly.