Facebook Phishing Campaign Pushes ‘Cocktail’ Attack

We have already discussed the Facebook phishing campaign. Now the scammers are using the phishing campaign not just for spamming but also for a “cocktail” attack.

The scammers have targeted Facebook, telling them that the Facebook account passwords have been changed.
The malware downloads a keylogger to collect credit card numbers, social security number, and other passwords from the victims’ machines.
The malware pushes a fake security product, which disables many applications, such as Notepad, Wordpad, etc., until the bad guys are paid.

This phishing campaign attempts to convince users that the email comes from Facebook by forging the From: address.

The mail claims the password has been changed and that it is available in the attached zip file. Once the victims unzip it, they see a file with a spreadsheet icon. When the victim tries to open the file to look for a password, it drops the payload and deletes itself. Once the malware is installed, it establishes a connection to the attacker’s server through the HTTP port and attempts to download more payloads onto the infected machine.
The malware also downloads a keylogger and runs it covertly. The second attack hunts for any keystroke so that it can collect information such as the login ID password, credit card and socialsSecurity numbers, etc. The malware sends the data to a remote server through a backdoor (continue reading...)