Cybercriminals Exploit Facebook Bug for Spam Campaign

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Cybercriminals seized on Facebook users' woes earlier this week to spread a malicious downloader Trojan the old-fashioned way—by e-mail.

A bug that led popular social networking site Facebook to accidentally delete a host of legitimate accounts earlier this week was quickly seized by cybercriminals to get Facebook users to execute a malicious downloader Trojan.

On Tuesday, Facebook confirmed that it had found a bug in one of its systems that is designed to detect and disable fraudulent user accounts. The bug led to the disabling of a number of legitimate user accounts.

"I tried to log into my account and I was having trouble," said Linda Sharkey, a Facebook user whose account was disabled. "I received an e-mail that said it was from Facebook. It said my account had been disabled because I had broken a policy for purporting to have a different identity or something like that."

Sharkey, who said she had not violated Facebook's terms of use, later received an e-mail from Facebook that said Facebook would reactivate her account, but the company required her to file a report about her identity including a digital copy of a government-issued ID.

While Facebook appears to have issued that e-mail, it seems to have been too good an opportunity for cybercriminals to pass up. These cybercriminals quickly issued a message to Facebook users that claimed to be from Facebook Support, according to security firm M86 Security Labs. The message told users their account had been used to send spam and Facebook had changed their password as a result. The message included an attachment, which it claimed was a letter that explained what had happened and contained the user's new password.

Users who attempted to open the letter executed the Sasfis downloader Trojan, which pulls down other malware, such as banking Trojans, fake antivirus and keyloggers.

"We have seen this particular spam campaign being quite well spread all around the world in quite noticeable numbers," said Bradley Anstis, vice president of Technology Strategy at M86 Security Labs, which operates 114 honeypot accounts around the world. "We noticed it about the 17th. It was very fast to react to the Facebook news. We really noticed a lot of volume around the 18th. Right now, it's looking like it's died back down again."

The spam campaign is connected to the Asprox botnet, Anstis said. Asprox is one of the larger botnets still in existence.

"Asprox is a real rollercoaster," Anstis said. "It kind of goes hot for a couple of weeks or a week at a time and then it quiets down again. It seems to be kind of a workhorse botnet in that it seems to be reused to do lots of different things all the time."

Anstis said that M86 Security has seen Asprox sending spam, downloading keyloggers, trying to infect legitimate Web sites and more.

"We've seen it doing all sorts of things aside from the normal things a botnet-controlled Trojan usually does," he said. "Just when we think that viruses and malware don't come through e-mail anymore as attachments, we see something like this."

In the meantime, Facebook appears to have reactivated the disabled user accounts. Sharkey said her account is back as if nothing ever happened.

Thor Olavsrud is a contributor to eSecurityPlanet.com and a former senior editor at InternetNews.com. He covers operating systems, standards, telecom and security, among other technologies.

Keep up-to-date with social networking security news; follow eSecurityPlanet on Twitter @eSecurityP.