Two New Fraudulent E-mails Pose as Facebook and Federal Deposit Insurance Corporation

By Matthew Harwood

Two new fraudulent e-mails are trying  to lure unsuspecting victims into installing malware on their computers, says a leading Web and e-mail security provider.

Analysts at M86 Security Labs yesterday publicized two e-mails pumped out by the Pushdo botnet that pose as Facebook and the Federal Deposit Insurance Corporation (FDIC). Each e-mail uses a different trick to download malware onto the target's computer.

The Facebook e-mail carries a subject line advertising a password reset confirmation. When the e-mail is opened, the message reads that Facebook has changed the user's password and that her new password is in the attached document.

According to M86 Security Labs, it wouldn't be wise to open that attachment.

Inside the attached zip file is an executable file that if run will install Bredolab, a malicious downloader. One of the first things we saw this Trojan horse download was the Pushdo bot which began spamming out more of these Facebook password reset emails.

The second phishing e-mail sent out by the Pushdo botnet is more clever considering the poor economy and this past year's banking scandals. Posing as the FDIC, which guarantees citizen's banking deposits up to a certain level, the e-mail tells victims their bank has failed.

It then tells e-mail recipients to click on the link "to check your Deposit Insurance Coverage," which takes them to a fake FDIC Web site dressed up to look like the real thing.

Victims are then asked to download their personal FDIC insurance file as a Word document or a PDF file. Either one will download malware onto your computer.

The links to both the PDF and Word document are both links to a ZBot executable. Over the last several months Pushdo has been spreading ZBot with campaigns that have a strong social engineering component that are backed up with well designed websites and offers the user plausible reasons to run a file. Some of these previous campaigns are the Michael Jackson campaign, the IRS scam seen over the last month and the server update scam seen a couple of weeks ago.

The spoofed FDIC Web site also carries another interesting trick used by the botnet. If you look in the address bar closely, you can see that the most of the url is whited out. That's the botnet projecting a white box on the end of the address bar to further obscure that the Web page is fake.

The FDIC has also put out a consumer alert, warning people of the fraudulent e-mail and reminding them that the information they divulge could be used to steal their identity or log in to their online banking account.

In other Web security news, warns people to be wary of any unsolicited e-mails leading up to Halloween. Cybercriminals love to exploit holidays.

"Typical scams include online greetings cards, or links to holiday sites such as the 'dancing skeleton' attack," reports the Web site. "The messages often contain a Trojan attachment or a link to a malicious page disguised as a greetings card or video file."

♦ Graphics provided by M86 Security Labs.


View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.