January 22, 2016 by

Facebook Phishing Attack Contains a Trojan

Social media network Facebook is the target of a new phishing scam by cybercriminals who are believed to be behind a phishing attack targeting popular messaging app WhatsApp.

In a blog post, the Comodo Threat Research team revealed that the Facebook version of a phishing attack containing a Trojan is similar to a previous attack on WhatsApp and a part of the Nivdort malware family. The malware pretends to be an email from Facebook that informs the target that they have an “audible” message.

The email comes with an attached .zip file containing the malware which is essentially an executable inside the compressed file. When the .exe file is launched, it automatically replicates itself to place itself on the C drive as well as the auto-run folder in the computer’s registry. Such an action enables the malware to start every time the computer does.

The Comodo team identified the phishing campaign through domain, IP and URL analysis. In their blog post, they note:

In this age of cyberattacks, being exposed to phishing is a destiny for every company, well-known or not. It may not be the most groundbreaking attack method cybercriminals use — but there’s no denying that cybercriminals are becoming more clever when crafting their messages.

The blog revealed that, as with other Nivdort Trojan strains, this variant collects sensitive information that includes user names and passwords, bank and credit card information and even tax returns. These data are sent to another party’s malicious server hosted in an offshore location.

Fundamentally, the malware operates by relying on the average user’s inherent trust placed on websites and apps such as Facebook and WhatsApp.

“More frequently, they’re using well-known applications or social platforms and also action-oriented language in the subject lines to entice recipients to open the emails, click the links or attachments and spread the malware,” stated Fatih Orhan, director of technology for Comodo.

The subjects of the emails that include the malware are varied in their approach, attempting to bypass antispam protection. Such evasive measures are evident with each subject line ending

They include:

  • A brief vocal e-mail was delivered. sele
  • An audio announcement has been delivered! Lucqmc
  • An audible warning has been missed. Yqr
  • You got a vocal memo! Fcqw
  • You recently missed a short audible notice. Rtn
  • Ein Videohinweis wurde vermisst! squy (German for “a video note was missed”)

Image credit: Flickr.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

Security Researchers Discover Trove of 1.4 Billion Credentials

Security researchers at dark web monitoring firm 4iQ have stumbled upon a massive 41GB data file of...

Read more arrow_forward

Gartner Research: Cybersecurity Spending to Hit $96 Billion in 2018

Gartner has predicted worldwide security spending to increase by 8% in 2018 to hit a staggering $96...

Read more arrow_forward

Uber Paid 20-Year-old Florida Man to Destroy Data as ‘Bug Bounty’ Program

Uber has reportedly paid $100,000 as a pay-off to a hacker who stole the personal data of some 57...

Read more arrow_forward