Massive bot attack spoofs Facebook password messages

Computerworld - A massive bot-based attack has been hitting Facebook users, with nearly three-quarters of a million users receiving fake password reset messages, according to security researchers.

The attack, which began Monday afternoon, according to e-mail security vendor Cloudmark, targets Facebook users with a spoofed message that claims recipients' Facebook passwords have been reset as a security measure. The messages, which come bearing subject lines such as "Facebook Password Reset Confirmation," include a file attachment that supposedly contains the new password.

In fact, the attached .zip file includes a Trojan downloader, dubbed "Bredlab" by some antivirus companies, "Bredolab" by others. The downloader grabs a variety of malware from hacker servers, including fake security software, or "scareware," and installs attack code and rogue antivirus applications on the compromised PCs.

Multiple security companies, including Symantec, Trend Micro, MX Lab and Websense, have put out warnings about the attack campaign. "This variant of Bredolab connects to a Russian domain and the infected machine is most likely becoming part of a Bredolab botnet," said Shunichi Imano, a security researcher at Symantec, in a post to the firm's security blog.

Jamie Tomasello, Cloudmark's abuse operations manager, said today that her company alone has detected nearly three-quarters of a million phony Facebook messages since Monday, and nearly 250,000 in the last 24 hours. "Our count continues to go up, and is at about 735,000 now," said Tomasello. "It's a pretty high volume."

According to Tomasello, both desktop clients and ISPs that use Cloudmark to filter potentially malicious mail have reported receiving the fake Facebook e-mail.

At least 8% of the users who have received one of the fake messages have tagged it as legitimate, going to the trouble of pulling the message from their junk folder -- where Cloudmark has placed it -- because they think it's real, Tomasello said. Cloudmark has no data on how many users were actually duped into opening the .zip file and running the enclosed .exe that installs Bredolab, however.

"The numbers are equal to or higher than other Facebook malware or phishing campaigns," Tomasello claimed. She said that Cloudmark is currently revising that 8% estimate upwards.

Because of its huge base -- last month Facebook said it had more than 300 million users -- the site is a frequent target for hackers and identity thieves.

Last March, for example, the Koobface worm made the rounds on Facebook, as well as other social networking sites such as MySpace and Friendster, infecting large numbers of users.

Facebook confirmed that the attack is being conducted via e-mail, not on Facebook, the tactic that other malware, including Koobface, has used. "We're educating users on how to detect this through the Facebook Security Page," a Facebook spokesman said today. Users should be wary of suspicious or unexpected e-mail that claims to be from Facebook. "Facebook will never send you a new password as an attachment," he added.

Read more about security in Computerworld's Security Knowledge Center.