This morning a rather aggressive one two punch started coming into our filters, and is currently still very active attempting to deliver Facebook phshing emails at a rate of about 1000 messages per minute per domain used with about 30 domains being utilized. That’s 30,000 messages per minute from this botnet, or 500 per second. On top of that we’ve already seen about 1.65 million messages from this campaign.As we’ve come to expect from Zbot, the phishing email is well crafted and could easily trick the unsuspecting recipient into falling for its ruse. The graphics are well done and all look like something you would see from Facebook. The email informs users that Facebook is updating their log-in system to, of course, make things more secure, and it urges people to click on the update button in the email. First of all, this should be enough anyone needs to see considering Facebook, your bank or anyone else, doesn’t need every one of their users’ participation in order to update their product.
After the unfortunate victim clicks on the link, they are taken to a false Facebook log-on screen where their user name is kindly filled in for them, they only need to supply their password. But this isn’t where this attack ends. Not being simply happy with having had stolen your Facebook account, the Zbot crew wants more. After “Logging in”, victims are then taken to a page that takes it one step further and actually offers what it touts as an “Update Tool”, specifically updatetool.exe. So after claiming a new Facebook account, they’re also going to infect the victims’ PCs as well with the Zeus trojan. This trojan is known for targeting banking accounts and other financial and personal data from its targets.
Stay away from these emails, Zeus or Zbot spares no effort in making their attacks appear to be genuine. It is very important for you to protect yourself by being vigilant. Know that threats are out there, and they are indiscriminant. If you don’t personally know the sender, I’d avoid clicking any links in emails, especially when the term “your account” appears anywhere in the email.

UPDATE: When this phishing email is received on a smart phone with a Facebook application installed it appears as an actual Facebook notification complete with Facebook icon. It will be received in your inbox as well as under the Facebook “Notification section” in the application itself.

5 Responses

  1. Reply
    Oct 29, 2009 - 12:11 AM

    Documented this with similar observations and simple steps to avoid being fooled on’s blog:

  2. Reply
    Nov 03, 2009 - 10:36 AM

    when is someone of authority gonna contact me concerning the botnets.

    since aug of 2008, i am still fighting a worm/hacker/backdoor/botnet that still pings over 2000 machines an hour 24/7 that started in febuary.

    untill this gets addressed, the hackings will continue and my machines will continue to spread this botnet which allow the hackers to get into any machine undetected.
    im not 100percent sure about right now cause the hackers got a wider range of victoms. but the hacking that are going on were routed through my machines. facebook were being hacked way before april first of 2009. my roommate kept coming to me with problems with sites she goes to. when she logs onto facebook or twitter and lots of others, instead of her info coming up, it was alway random profiles belonging to others.

    what i learned is that the hashcodes shows what the hackers are doing in our machines. to clear it, we just simply deleted all cookies, but only after i copy the hash codes so i can monitor them.

    when the hackings where first brought to my attention when the worm was just a shaky engine, i kept getting disconnected aka dns every 30 minutes for months and months. experiments showed that the hackers were intently rewriting the scripts in the hubs which caused these DNS errors on my system. im not sure about yours. but im still waiting for someone to contact me so i can help everyone get in sync of whats really going on about these hackings and how they are doing it.

    i started withsome info..

  3. Reply
    Dec 10, 2009 - 09:00 PM

    Very amusing opinion

  4. Reply
    Dec 11, 2009 - 09:49 AM

    the worm and intents are constantly changing. i still stick with my storys about the worm. i formated over 500 times including low level, removed all devices that emit any signal, threw away all burned cd/dvds. and went through the extremes.

    the spaming is coming from inside your machines. the best way to explain it is that the firmware(hardware), BIOS(JUST IN CASE YA FORMAT) AND KERNEL IS ALTERED IN A WAY were a limited access wasnt the issue anymore.

    if you use sysinternal’s process monitor, and add a new firewall like zonealarm, and best try this after a format, you will see the worm breaking through from both sides of the connection. one side uses the kernel and as far as i know, graphics card, and then goes down a list of exploints in an open port(mostly 80) till broken in. he goes directly to the graphics adapter and alters the drivers, and then works on the audio and lan.

    microsoft just started in november to address the DNS situation from the main work. and im sure they will find out that it goes far deeper such as frequenycs and phone towers and the hacker used skyfire as the browser.

    there was a lot of cooincidences that link the danielle theft to a part of the creation of the worms.

  5. Reply
    Dec 12, 2009 - 02:46 AM

    huh… strange thread )

Have a thought on this article? Share it here.