Fake Facebook alert leads to Blackhole, malware

Due to the huge popularity of Facebook and its one billion active users, bogus emails impersonating the social network are constantly hitting users' inboxes.

The latest of these is a notification alert about "activity you may have missed on Facebook":



Clicking on any of the offered buttons or the "unsubscribe" link ultimately lands users on a page hosting the Blackhole exploit kit serving an exploit for Adobe Reader and Acrobat.

Victims who use any of the vulnerable versions of these two software and no AV solution are automatically saddled with an information-stealing Trojan.

The Trojan variant in question is now detected by 28 of the 43 AV products used by Virus Total, but at the beginning of the spam campaign even those who had AV software installed were not safe, as the malware was detected by only three of them, Webroot warns.

Users are advised never to follow links offered in unsolicited emails, no matter how legitimate they look. Check your Facebook account for "activity you have missed" if you must, but do it by logging in through the legitimate login page.

Bogus Apple invoice leads to Blackhole, banking malware

If you receive an invoice seemingly coming from Apple that apparently shows that your credit card has been billed for $699,99 (or a similar preposterously huge amount of money) because you bought postcard, don't click on any of the embedded links no matter how curious or alarmed you are.

The bogus invoice looks good enough to fool many (click on the screenshot to enlarge it):



"The link 'View/Download' ends in download.jpg.exe, while the 'Cancel' and 'Not your order' URLs end in check.php," shares Graham Cluley. "The smart social engineering bit is that, whether you are simply curious what this is about or furious about this unauthorized charge, you are still likely to click one of the links."

A click on the former link will automatically download the malware, while a click on the latter ones will take the victims to a bogus IRS page warning them that they are using an unsupported browser.

But this is simply a smokescreen designed to puzzle the user while the Blackhole exploit kit works furiously in the background, trying to exploit a host of Oracle Java, Adobe Flash Player and Adobe Reader vulnerabilities.

If it succeeds, the victims' computer is infected with a variant of the Zeus / Zbot banking Trojan. If not, they are offered a download of the latest version of their browser. The offered file is named update.exe and is also a Zeus Trojan variant.

Digitally signed ransomware lurking in the wild

Trend Micro researchers have spotted two ransomware variants bearing the same (probably stolen) digital signature in order to fool users into running the files.

Other than that, the malware acts like any other ransomware: it blocks the victims' computer and shows messages that seem to come either from the FBI or the UK’s Police Central e-crime Unit:



"Users may encounter these files by visiting malicious sites or sites exploiting a Java vulnerability," say the researchers.

And if the bogus law enforcement messages are anything to go by, it seems that those same malware peddlers have managed to hack the DNS records of Go Daddy hosted websites so that they can redirect victims to malicious sites hosting the Cool exploit kit.

Sophos' researchers speculate that the DNS records hijacking was due to stolen or weak passwords.

"Go Daddy customers who wish to check they have not been affected by these attacks should check their DNS configuration according to the Go Daddy support page," they advise.

Facebook Black Is Scamming You

As more and more people join social networks like Facebook and Twitter, it only gets easier for scam artists to pick off a few non-discerning users. The latest scam that's making its way across Facebook offers to change your user interface to a cool, new color if you're sick of the boring old Facebook blue.

Users are now seeing images advertising the new "Facebook Black" in their news feeds. The image asks users to click a link shared above, which will then lead them to an official-looking app permissions screen. Of course, there's no such thing as "Facebook Black" and clicking on the link will only open you up to a possible security breach.

Sophos' Naked Security blog reports that the ruse is the work of survey scammers, who prey on unsuspecting users who will complete surveys in order to receive the promised product. These surveys earn affiliate cash for the scammers.



"Are you sick fo that boring old blue theme? Well now you have the power to change your facebook color to anything your heart desires," reads the page. Sophos claims that some versions of the dubious link attempt to fool users by displaying a limited time offer and prompting them to generate a code to access the new feature.

Although they may look legit to the untrained eye, some of the scam landing pages can be easily identified because they have failed to wipe the text from previous clickjacking scams, such as the Remove Facebook Timeline scams popular earlier this year.



As always, the advice here is to investigate any "new feature" or "offer" that seems too good to be true or out of the ordinary. And if you happen to get caught up in a scam, make sure you remove any corresponding likes and app permissions from your Facebook account.