Network News

X My Profile
View More Activity

Fake Facebook 'Add Friends' E-Mail Adds Malware

Social networking sites like Facebook and MySpace give scam artists and virus writers new ways to package tried-but-true tricks. The latest example of this making the rounds is an e-mail that appears to be an invitation from Facebook to add a friend: A recipient who opens an attached image to take a look at their new friend instead opens the door for hackers to compromise his PC.

Internet security firm Websense warns about this latest scam, which takes advantage of common notifiers sent by Facebook to alert users when another user adds them as a friend on their social network:

The spammers included a zip attachment that purports to contain a picture in order to entice the recipient to double-click on it. The attached file is actually a Trojan horse.


The message also includes a login form to the Facebook home page. While there are countless examples of scam e-mails that try to steal Facebook usernames and passwords using a fake login page, any credentials entered into the form are sent directly to Facebook, logging the user into his or her actual page. Websense says this is probably a ruse to make the message appear more authentic, but in reality the scammers could have easily intercepted those credentials as well.

As Security Fix has warned time and again, social networking sites are fast becoming the most fertile grounds for spreading malicious software and Internet scams. Earlier this year, Symantec Corp. found that two social networking sites together were the target of 91 percent of U.S.-based phishing Web sites. Social networking sites also were the leading targets of phishing sites located in four other countries listed by Symantec in its phishing Top 10.

Here a few tips and things to keep in mind that can help you avoid being burned by e-mail based attacks:

-E-mail addresses in the "From:" field can be easily spoofed.
-Never open attachments in e-mails that you weren't expecting, even if the e-mail appears to come from some person or entity you know and trust. (Legitimate Facebook friend requests, in fact, don't include attachments.)
-Avoid responding to unsolicited e-mails. You'll only let spammers know they've got a mark for future e-mails.
-Consider switching from HTML e-mail to text-based messages only. Malicious Javascript and nasty instructions written in other powerful scripting languages can be embedded in HTML messages, and in many cases that code will load as soon as you view the message.

By Brian Krebs  |  September 23, 2008; 1:55 PM ET
Categories:  Fraud , Latest Warnings , Safety Tips , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Internet Shuns U.S. Based ISP Amid Fraud, Abuse Allegations
Next: Apple, Mozilla Push Security Updates


So, too, is Tagbook (I think that's the name). I've been getting invitations from people I know whose address books have been maiciously used to send invites without their knowledge

Posted by: Gary | September 23, 2008 4:39 PM | Report abuse

The two comments in the Russian alphabet have clickable links. Since when is posting clickable links permitted? Why would anyone post on a security blog in a major English-language newspaper whose readers aren't likely to read Russian, in the Russian alphabet, if you aren't trying to hide something?

Posted by: TomatoQueen | September 24, 2008 5:56 AM | Report abuse

Just FYI, the Russian posts are ads for ringtones, games, etc. and Web services for businesses.

Retaliation for Brian's exposure of Russian Internet scams?

Posted by: Gary | September 24, 2008 6:28 AM | Report abuse

Just had a friend of mine whose whole identity was stolen because he opened up an invitation by someone he thought was a "friend" on facebook . . . very scary stuff. Now that "friend" has created a facebook page with his identity, luring in real friends and obtaining email addresses, etc. Very scary stuff.

Posted by: julie310 | September 24, 2008 6:53 AM | Report abuse

Huh? Suggested rule: Post only in English. Capice?

Posted by: Pete from Arlington | September 24, 2008 9:10 AM | Report abuse

Several of my Facebook friends have been phished but my Firefox browser caught the fake email in time. It was only for ringtones but you never know.

Posted by: Lucas | September 24, 2008 9:56 AM | Report abuse

I've also seen this well in online messenger sends. Mainly with MSN.
Instance 1:
The user your IMing asks claims their going to send you picture. It comes up in a 5 kilobite (varied) folder. This is a virus.
Instance 2:
One of your friends asked you to check out a website, and in that website, it asks you to login into a website that you use, but it isn't that website. Don't trust it, it will enter your computer, send that link to everyone on your add list, and keylog you.

My question is, do people really get kicks out of doing this?

Posted by: Forrest | September 24, 2008 10:45 AM | Report abuse

It is sad that there are people who get a kick out of doing this. My only assumption for this is: the reason that they are messing with people, is because they have been messed with. People probably ignored them when they needed attention most. This is their strongest outlet for frustration, anger, etc. Our only thing is to pray for them.

Posted by: csi | September 24, 2008 11:37 AM | Report abuse

This isn't for kicks or something petty like revenge for a bad childhood. Malware is about money. Pure and simple. Long gone are the days where the majority of hacks were people just seeing if it could be done, harmless pranks, and minor annoyances.

It's all about the money now.

Posted by: Charles Decker | September 24, 2008 1:29 PM | Report abuse

I've gotten some VERY "good" phishing lately, impostering a bank and a credit card.

When I'm not sure, I right-click on links or hyper-text in the phish-y e-mail for "properties". That seems to work, to flush out phish. Any reason this is a bad idea?

Posted by: El Paso, TX | September 24, 2008 6:23 PM | Report abuse

I work for a major cable companies internet phone support upper level tier support. The advice I give my customers is if it asks you for any banking info or anything you think fishy don't trust it. If it comes for a source you do not know do not trust it. If the website does not have a s in it like https not http it is not secure. If it comes for a banking site, company you do biling with ie the cable company, you can always call before you put in the info. The best think to do before downloading a file or opeing emails is scan them for viruses.

Posted by: C. W. | September 25, 2008 3:40 AM | Report abuse

Wow, that's really scary. Great story!

-- Ishmael

Posted by: Ismael Howard | September 25, 2008 2:10 PM | Report abuse

hey crystal

Posted by: Casey b. carden | September 25, 2008 2:27 PM | Report abuse

I've worked the Call Center Industry for approximately 5 years... my experience, as a rep is that even if you DO call in, with your legitimate inquiry about phishing scams... you will simply be told it is related to your last visit to their home page, or their default customer page if you deal with HSD/ISP providers or self - install kits.

No company will ever ask you for personal information by e-mail soliciation. There is no way to confirm the information is not being provided under duress - the intention of the https:// while indeed is a secure alternative, is not fail proof.

Buyer beware, and simply complete your transactions in person.

Posted by: CableCSR | September 26, 2008 10:53 PM | Report abuse

icphfdqbk yios eycztsixa ptvd lwrszjve mnosk apod

Posted by: gqkwaszvu mubwf | September 30, 2008 4:59 AM | Report abuse

fbalcuyd mbnz qcoymstl hsmwiaqrp qshwlpxd ibmwhaok wajqvf

Posted by: ctnm unjerfsqa | September 30, 2008 4:59 AM | Report abuse

Posted by: recipe | September 30, 2008 5:45 AM | Report abuse

Posted by: recipe | September 30, 2008 6:17 AM | Report abuse

hprqdxn qjuv hasbmow genpw recipe

Posted by: recipe | September 30, 2008 6:50 AM | Report abuse

Posted by: recipe | September 30, 2008 7:26 AM | Report abuse

jfsryxo mytz yndms а

Posted by: л | September 30, 2008 8:05 AM | Report abuse

jfsryxo mytz yndms а

Posted by: л | September 30, 2008 8:05 AM | Report abuse

Posted by: о | September 30, 2008 8:52 AM | Report abuse

aeqou tyjkvzc bkre о

Posted by: в | September 30, 2008 9:59 AM | Report abuse

Posted by: н | September 30, 2008 10:40 AM | Report abuse

Posted by: book | September 30, 2008 11:59 AM | Report abuse

Posted by: book | September 30, 2008 1:04 PM | Report abuse

Posted by: book | September 30, 2008 1:04 PM | Report abuse

Posted by: book | September 30, 2008 2:12 PM | Report abuse

Posted by: book | September 30, 2008 3:18 PM | Report abuse

Posted by: book | September 30, 2008 3:18 PM | Report abuse

smjd nvqwj bvdwk coat dog pattern sew

Posted by: miller family coat of arms | September 30, 2008 6:41 PM | Report abuse

fmbrdas tnbwfc gallery highboots smoking

Posted by: address free p | September 30, 2008 7:24 PM | Report abuse

ncrea pliko ujxcbfn blanket storage chest

Posted by: powder coating information | September 30, 2008 7:35 PM | Report abuse

dqelka lusftbg address email messenger verify

Posted by: blanket control erosion | September 30, 2008 8:11 PM | Report abuse

Posted by: adidas climacool light response womens | September 30, 2008 9:12 PM | Report abuse

cadmfq embroidered lab coats

Posted by: carpet persian | September 30, 2008 10:11 PM | Report abuse

vqegi qhjoge zrbpx beak baby blanket silky

Posted by: candy coated sex sugar | September 30, 2008 11:10 PM | Report abuse

aekojd thfk ulcmo fswdtah trooper coates video

Posted by: diaphragm and cervical cap | September 30, 2008 11:15 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company