This morning a rather aggressive one two punch started coming into our filters, and is currently still very active attempting to deliver Facebook phshing emails at a rate of about 1000 messages per minute per domain used with about 30 domains being utilized. That’s 30,000 messages per minute from this botnet, or 500 per second. On top of that we’ve already seen about 1.65 million messages from this campaign.As we’ve come to expect from Zbot, the phishing email is well crafted and could easily trick the unsuspecting recipient into falling for its ruse. The graphics are well done and all look like something you would see from Facebook. The email informs users that Facebook is updating their log-in system to, of course, make things more secure, and it urges people to click on the update button in the email. First of all, this should be enough anyone needs to see considering Facebook, your bank or anyone else, doesn’t need every one of their users’ participation in order to update their product.
After the unfortunate victim clicks on the link, they are taken to a false Facebook log-on screen where their user name is kindly filled in for them, they only need to supply their password. But this isn’t where this attack ends. Not being simply happy with having had stolen your Facebook account, the Zbot crew wants more. After “Logging in”, victims are then taken to a page that takes it one step further and actually offers what it touts as an “Update Tool”, specifically updatetool.exe. So after claiming a new Facebook account, they’re also going to infect the victims’ PCs as well with the Zeus trojan. This trojan is known for targeting banking accounts and other financial and personal data from its targets.
Stay away from these emails, Zeus or Zbot spares no effort in making their attacks appear to be genuine. It is very important for you to protect yourself by being vigilant. Know that threats are out there, and they are indiscriminant. If you don’t personally know the sender, I’d avoid clicking any links in emails, especially when the term “your account” appears anywhere in the email.
UPDATE: When this phishing email is received on a smart phone with a Facebook application installed it appears as an actual Facebook notification complete with Facebook icon. It will be received in your inbox as well as under the Facebook “Notification section” in the application itself.