Facebook 'Friend Request' Spam Spreads ZBOT Trojan Variant
It is no surprise to us that we wake up to more news about Facebook users being targeted by a new scam. This time hackers are spreading via Facebook a fake 'friend request' notification attached with a Zbot Trojan variant. Zbot Trojan, or Trojan.Zbot, is a data-stealing Trojan that is able to lower security settings and ultimately open up a system to remote attacks. Zbot could be used to steal passwords and login credentials, usually to online banking accounts, from a victims PC. Additionally, Zbot may perform these actions without rendering any notifications to the computer user.
Due to the vast amount of users, Facebook has virtually turned into a launching platform for hackers to conduct their scams. The latest rash of scams comes in the form of Facebook email messages designed to mimic 'Confirm Friend Request' emails that are normally sent when someone requests to become your friend on Facebook. As harmless as these messages may seem, hackers have used them to their advantage by leading users to download malware such as the Zbot Trojan.
Figure 1. Fake Facebook Friend Request email.
After our research team received wind of this situation, they later verified that these fake Facebook friend request emails, as shown in Figure 1, utilize a common link-embedding technique. This method basically embeds a link in the fake Facebook 'friend request' email leading them to a page with a message stating that the latest version of Adobe Flash Player needs to be installed in order to proceed. Once the user decides to proceed, a file that appears to be an Adobe Flash Player update file (updateflash.exe) downloads, but instead of downloading a Flash Player installer, the Zbot Trojan is installed on the compromised computer.
The variant of Zbot discovered to be installed through the fake Facebook 'friend request' email has been identified as TSPY_ZBOT.FAZ. This particular variant of Zbot is designed to monitor a predefined list of URLs in order to steal login credentials. A domain-generation technique is used by Zbot to randomly generate URLs based on the infected system's current date.
Recently, there has been instances where PCs infected with Zbot prevented access to Youtube and Facebook domains. Simply put, the user of a TSPY_ZBOT.FAZ-infected system would not be able to reach Facebook or YouTube and if they did, the system would return a 'user or password is incorrect' message.
Figure 2. 'Upgrade Adobe Flash Player' prompt from fake Facebook 'friend request' email link.
Zbot has a long history of being a famous banking Trojan that cybercrooks use to steal online banking login data. In the past, Zbot was also known to slip by many anti-virus applications leaving an abundant number of systems infected and under the knife of Zbot. The latest Facebook scam is nothing new but computer users must be aware of it so they may use caution if they receive a message similar to the one in Figure 2.
Have you ever encountered a fake Facebook 'friend request' email? Did you click on 'Confirm Friend' in the email? Was your system infected with the Zbot Trojan? If you were infected with a Zbot variant disguised as a Flash update file, you should run a full system scan to detect and remove Zbot and TSPY_ZBOT.FAZ.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.