The new Facebook malware comes in the form of an email that claims someone has posted an image of you on Facebook. The email looks very real with the exception of the actual email address. In order to keep things as close to the real thing as possible, the coders slipped in an extra “o” in the “from” address (so it reads Faceboook). This is a slight addition that 99% of people will overlook (we are sure you have seen the Facebook post about reading misspelled words). If you click on the link to view the picture of yourself then you are in for an interesting trip. First the link takes you to another page (not Facebook) where it uses an iFrame script to try and infect your system, however to avoid too much suspicion the link does redirect you to a random user on Facebook within about four seconds.

From there you can try to figure out what happened as there is no picture of you at all. It is a cleverly written bit of code. However, with a little attention you will be able to spot the real from the fake. First check the address if it is from Faceboook do not open it. Second if you hover over the links in the email you will see that they do not take you to Facebook.com, but to another site completely.  We will expect more of this type of malware to hit and soon now that Facebook uses paid sponsored posts and real money. We wonder when the first targeted attacks on the payment systems will start and if some of the recent malware are simply testing the waters for a more concentrated effort down the road.

Sophos Blog Post

Discuss this in our Forum