New Trojan Opens Door for Malware by Name-Dropping "Facebook"

By | May 29, 2012

Yet another Trojan, this one disguised as an Adobe Flash update, is gaining access to unsuspecting users through a supposed courtesy message from Facebook, reports The Register. Users receive an email apparently advising them that their Facebook account has been slated to be "canceled" and that they need to click on the embedded link to either confirm or avoid such action. From there, the user is advised that they need to update their Adobe Flash application, which is what finally allows the malware to be installed.

This Trojan is particularly malicious because everything about the entire process seems legitimate. The initial message appears to come from "The Facebook Team." The embedded link takes the user to what appears to be an actual page. The user is advised to update his Adobe Flash, so common it wouldn't raise any particular red flags for most users. However, the most egregious aspect of the malware is its persistence. Even if the user chooses not to allow the apparent Adobe application update, the application will continue to pop up and pester the user until he finally gives in and "allows" the installation.

In fact, Facebook does not contact its subscribers via email or at all personally regarding account deactivation (not "cancellation" as the attackers referred to it). The social network's users can only manage their accounts directly through the Facebook site. What's more, reports, the "Facebook" page users are supposedly sent to using the link in the email is actually a third-party application utilizing Facebook's design. And the alleged Adobe update is actually an entire package of web hosting and other malicious applications, which have been identified by the security firm Sophos as Mal/Spy-EyeB and Troj/Agent-WHZ, which can allow remote access and activity monitoring.

Exploiting security vulnerability through the threat of account cancellation isn't anything that hasn't been done before, and security experts have even seen the use of Facebook and other social networking sites as a particulalry nasty attack vector. But for SMBs, this Trojan can cause serious downtime and even data loss, especially if security is provided at each individual end point rather than using an umbrella strategy. Facebook and other social networking sites are no longer just for private sector, personal interactions. They have become integral to many SMBs' marketing strategies, and the threat of account disruption is exactly what the Trojan's developers are preying upon. For SMBs and other users, knowing the truth about how social media accounts are managed is the best insurance against these types of attacks.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.

IBM Solution Security & Resiliency

IBM IT security expertise can help medium-sized businesses develop, implement and maintain comprehensive strategies to combat ever-evolving security threats without increasing complexity, cost, or resources required for administration.

Learn More »

More on This Topic

Three Security Concerns for 2016

By Allan Pratt on Dec 4, 2015
As we near the end of 2015, what will 2016 look like in the information security sector? Undoubtedly there be an increase in data breaches across all industries, but will businesses take the high road and inform their customers and ...