Do not click on any email from Facebook. Yet another new malware attack has hit Facebook — this one with some twists. Although it will probably trap thousands of users, it’s not a very good attempt.
At 18:14:03 24 Jun 2011 (four hours from now, obviously an Eastern Europe sender) we received two of these, and then later several more in our spam traps. There are two “senders” and two different “Subject” lines, so far — both bogus.
From: email@example.com Subject: Your privacy information has been published From: firstname.lastname@example.org Subject: Your Account Details has been rejected by bank
The alarming part of this new threat is
a) clicking downloads a dot-EXE file posing as a PDF, and
b) it appears to be hosted and administered on Yahoo.
In your mail reader it may look different, but this is the one we got. Telltale elements told us immediately it is bogus and either phishing or malware.
Note the misspelled word, and when hovering over the link we see hostingprod.com as the target — which has nothing to do with Facebook what so ever! They also attempted to elude spam traps by using the http://www.federalreserve.gov link in their footer … labeled “Facebook Security.”
The file which is the target is an EXE file, so that’s particularly troublesome.
Tracking the IP address and NS servers took us directly to Yahoo. Here’s what the Whois report looks like. The IP address takes us to Yahoo’s sp2.yahoo.com (DNS authenticity: Verified) server in Chicago, Illinois.
If you get mail from Facebook, do not click any links. Better safe than sorry.
Follow the InfoManager’s previous Safenetting Alerts