Virus Alert: Facebook Password Reset Confirmation Support Message Attachments

March 22, 2010 | By | 15 Replies More

Reading time: 3 – 4 minutes

There had been a lot of reported incidents this week about Facebook password reset confirmation emails containing an attachment which was an executable file that once opened would trigger a Trojan attack on your computer thus running the rogueware or fake antivirus, anti-spyware or anti-anything software for purpose of deceiving an alarmed user by showing non-existent threats from scan results and endless popup or balloon messages to make them pay for a license in exchange of a trouble-free system.

The recent attack was coming from Facebook’s email database that was sent to thousands though I’m not sure with the statistics but it’s amazing to know that even my domain email which is not at all connected to Facebook also received the same email below (copy pasted as is):

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.

With the actual email screenshot shown:

Facebook Password Reset Confirmation Support Email with Rogueware Attachment

It’s pretty clear though that it’s not a legitimate email because of the lack of appropriate heading and salutation but surprising because it wasn’t marked as “Spam” by Yahoo Mail and my hosting email. If you aren’t careful enough or if curiosity hits you, you’ll be tempted to download the attached zip file. Please note that the above email’s addressee wasn’t mine but this email landed on my rocketmail.com email account.

Normally, the file name is Facebook_details_348.zip. The built-in Norton Antivirus scanner on Yahoo Mail wasn’t able to detect it as a virus yesterday but when I’ve tried downloading it today, it was no longer the case. Perhaps, Norton already knew what it was.

If I’m not mistaken the executable file enclosed was Facebook_details_348.exe (since .exe files cannot be uploaded on most emails due to risks associated with this type of file) which when opened or executed will initiate the rogueware, XP Smart Security 2010 but may change its name depending on the OS it finds on your computer e.g., if you have Windows Vista on your system, it would be Vista Smart Security 2010.

I certainly have direct experience on this scenario so I’m sharing it now to all my readers. My PC is in good condition after the untoward fake virus attack. I did nothing special about it so if you want to know how I was able to remove the fake antivirus in minutes without any complicated steps or registry editing involved, stay tuned-in by subscribing to this blog via email or RSS and watch out for my post about it.

Updated 24 March 2010

Here’s my follow-up post regarding this incident, How To Remove Fake Antivirus Software.

Tags: , , , , , , , , ,

Category: security-privacy

Comments (15)

Trackback URL | Comments RSS Feed

  1. Gojeg says:

    Hi, long time no see this blog. Your blog has a very good improvement..
    Hmm, I had never received message like that, lucky me! 😀
    .-= Gojeg´s last blog ..iWebKit, iPhone Site Framework =-.

  2. Mathdelane says:

    Hey Taufiq,
    It’s nice to see you back! I guess you’re lucky to not receive something similar but in case anytime in the future, you’ll definitely have an idea.

  3. Ching Ya says:

    This is dreadful and outrageous. It’s tricky and anyone could have overlooked and click the attachment straight away. I have tweeted this and shared on my fan page. Wonderful work done here Math for bringing up this security issue, can’t be too careful these days.

    @wchingya
    Social/Blogging Tracker
    .-= Ching Ya´s last blog ..Link Love: Have You Thanked Your Angels Lately? =-.

  4. bbrian017 says:

    I’ve heard about it but I didn’t actually see it. Perhaps they only send it to face book users they think aren’t tech savvy lol. I woudl had spotted a virus and hack attempt from a mile away.
    .-= bbrian017´s last blog ..I’m working on my e-book everyone =-.

  5. I received such an email twice. The first time, I opened the email and upon reading it knew it as a virus/trojan carrier, so I didn’t even hover over the attachment and closed it (though I didn’t delete it).

    But soon after, I began to see a red popup that says AVG (which is the antivirus software in my laptop) has blocked a possible unsafe site.

    Hey Math, please go ahead and post about your method of removing it. I think I got it in my laptop because even sites I trust like Sire’s (and one of mine) was deemed unsafe by the AVG popup (though not all the time). It’s evidently a fake security popup. How can such a virus go through both AVG and Zone Alarm?
    .-= James Moralde´s last blog ..Is Using The Wonder Wheel In SEO Effective? =-.

  6. Mathdelane says:

    @Ching Ya
    Your presence and comment is appreciated on this blog. I’ve been writing similar posts of this kind since I started blogging in 2008 and during the Conficker scare of 2009. It’s good to know that I was able to help a lot of people from my posts based on real life experiences and not just mere theoretical observations and rewritten scripts scraped from the internet.

    Your observations are true, we can’t be less vigilant nowadays.

    @bbrian017
    Curiosity kills the cats as they say but curiosity leads to discovery. If in your opinion that only less techie people are sent with these emails, then you basically don’t need to read these kinds of posts because it seems that you don’t need it anyway.

    This blog is not an aggregate of recycled information, fictional/fabricated stories and scraped technology news or a hub for long winded theories of online SEO.

  7. Mathdelane says:

    @James,
    I’m more terrible than you do because my curiosity pushed me to even download the attachment, extract it and run the executable file.

    I’ve had the same experience like you do wherein AVG will tag a web page as harmful. It happened to my Google Feedburner account wherein I couldn’t login for a month. It depends on your browser actually.

    I don’t think your case will be resolved by my upcoming post regarding the above scenario because it seems different. However, I’d suggest that you run a full PC scan with your antivirus (must be AVG 9.0) and spyware (try Spybot) and make sure that they are updated. Try to clear up your browser cookies, cache, and history regularly. It worked for me.

    Let me know what comes up.

  8. Thanks Math, will do as you suggested.
    .-= James Moralde´s last blog ..Possible Facebook Trojan Effect: Probable Free Trojan Removal Solution? =-.

  9. Sire says:

    Hi get this sort of stuff all the time and usually post it on my Load Of Bullsh*t site as a warning to others. I think it’s good that we warn others of these types of emails to warn them of the dangers of opening .exe files or of supplying personal information on the net. It’s good to see others are doing the same.
    .-= Sire´s last blog ..Promoting MyDomain Brand Me Contest. =-.

  10. Mathdelane says:

    That’s what people should be doing. Disseminating useful information both online and off.
    Thanks for the comment, Sire!

  11. Well, this happens to me many a times. Usually, our (bloggers) email is exposed on our blogs so that readers can contact us. This serves as an invitation for many phishers and keyloggers as you’ve mentioned in the article. Its better to share it with all our readers to make them cognizant about the dangers online.

  12. CARRIE says:

    I’VE BEEN TRYING TO ACCESS MY FACEBOOK ACCOUNT BUT I FORGOT MY PASSWORD AND TRIED TO RESET MORE THAN ONCE AN NOW I’M GETTING THE MESSAGE THAT I HAVE REACHED THE LIMIT OF PASSWORD RESET ATTEMPTS. IS THEIR ANYONE THAT CAN HELP WITH THIS PROBLEM. THANKING YOU IN ADVANCE. CARRIE

Leave a Reply