Beware Weekend Facebook Scam!

The cybercriminals seem to have completed their Black Friday shopping and returned to work this morning with a new Facebook scam. Its probably wrong to call it "new", since its a re-tread of the Facebook scam we warned about October 28th.

The UAB Spam Data Mine saw approximately 20,000 copies of this email today, with the following websites being used in the spam:

www.facebook.com.hssaze.be
www.facebook.com.hssazg.be
www.facebook.com.hssazh.be
www.facebook.com.hssazi.be
www.facebook.com.hssazj.be
www.facebook.com.hssazl.be
www.facebook.com.hssazo.be
www.facebook.com.hssazp.be
www.facebook.com.hssazq.be
www.facebook.com.hssazr.be
www.facebook.com.hssazt.be
www.facebook.com.hssazu.be
www.facebook.com.hssazw.be
www.facebook.com.hssazy.be

Three email subjects (with some variation in case) are used:

Facebook Account Update
Facebook Update Tool
New login system

The path, /usersdirectory/LoginFacebook.php is appended with a unique string for each email sent.

The emails look like this:

Dear Facebook user,
In an effort to make your online experience safer and more enjoyable,
Facebook will be implementing a new login system that will affect all
Facebook users. These changes will offer new features and increased
account security.
Before you are able to use the new login system, you will be required to
update your account.
Click here to update your account online now.

If you have any questions, reference our New User Guide.

Thanks,
The Facebook Team

and the webpage starts like this:



After entering your userid and password, the malware page is loaded:



The "updatetool.exe" is malware, of course.

File size: 129536 bytes
MD5...: adc5806e32716e588faf44622ccb5f9a

Early this morning, virustotal was showing a 5 of 41 detection rate. That's greatly improved now, to 17 of 41, as shown in this current VirusTotal Report. The malware is confirmed to be a Zeus/Zbot infector.