Microsoft Project Server, SharePoint, Security and other cool things…

Rolly Perreaux

   LinkedIn - MVP-Press Networking Group   @RollyPerreaux   RSS Feed    

 

Beware of Facebook Trojan Horse

Posted on February 08, 2010 by - 1,680 views
facebooktwittergoogle_plusredditpinterestlinkedin

Well guess what popped up in my email inbox this evening??
Another Facebook Service email with another attachment  Sad smile

Now normally I would just delete the email…
But I figured with all the new changes that Facebook did to their website someone just might open and run the attachment. So I figured this would be another learning opportunity for my non-geek friends

So here’s the email:

Facebook Email

Now the first thing wrong here is that you would NEVER receive an email from Facebook stating that they reset your password.
Next thing wrong is that there is a zip file attachment, where in the message it states a document,

Another thing to note…
Passwords would NEVER be emailed to you. They might have a link to their website where you would change the password there… But that itself could be very risky.

To make my point. you might get an email that has a link in the message
Something similar to the link below:
(Don’t worry if you click on it)

https://www.facebook.com/password_reset

So the display can be one thing, while the actual link goes to someplace totally different.
And here’s how did it:

Facebook URL

Here’s a tip how to spot a fake URL or link
Hover your cursor over the link and look at the bottom status bar of Internet Explorer
It will typically display the actual link address

So always be suspicious in reviewing your emails
Anyway, back to the story

So like the geek I am, I check out the email header:

Received: from MFGWNSPH (192.168.1.1) by <blocked out my DNS Name> (192.168.1.254)
with Microsoft SMTP Server id 8.1.393.1; Mon, 8 Feb 2010 17:50:18 -0600
Received: from 119.193.72.242 by dev.null; Tue, 9 Feb 2010 08:50:03 +0900
From: Facebook Service <customer@facebook.com>
To: <rolly.perreaux@pmologistics.com>
Subject: Facebook Password Reset Confirmation! Important Message
Date: Tue, 9 Feb 2010 08:50:03 +0900
Message-ID: <000d01caa919$6eea0ef0$6400a8c0@widowhoodn7>
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="—-=_NextPart_000_000E_01CAA919.6EEA0EF0"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1437
Importance: Normal
Return-Path: widowhoodn7@MyOwnPerson.com

So from the header we see that IP address 119.193.72.242 is the one that sent the email.

NOTE:

Always remember that it is very easy to spoof the email address to whatever you want, in this case customer@facebook.com.
The other thing to note in the header is that widowhoodn7@MyOwnPerson.com is the Return-Path which also might be spoofed or a legitimate email by a zombie computer.

  • Return-path identifies the email address of the message’s sender.
  • Zombie computer or Zombie is a computer connected to the Internet that has been compromised by a hacker, a computer virus, or a trojan horse.
  • Trojan Horse – see http://en.wikipedia.org/wiki/Trojan_horse_(computing)

Anyway like a good little geek I check the header using an Email Lookup
I like using http://www.ipaddresslocation.org/email-tracking/email-header.php

Here’s what it found:

Facebook Email Lookup

I’m pretty sure that an email from customer@facebook.com shouldn’t originate from South Korea.

Now I’m intrigued what the attachment is.
So let’s have a look:

Facebook Attachment

Whenever you see an EXE file in a zip file, that spells T-R-O-U-B-L-E

LEGAL DISCLAIMER
Please do not attempt this at home or at work unless you are a trained security professional.
If you do, then you’re a bonehead and get what you deserve Winking smile

 

So I then decide to extract the file to C:\Temp for further investigation.
and low and behold, there it is: A TROJAN HORSE

Facebook Password Trojan Horse

So I click on the link to view more information….
Here’s the link:
https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Trojan%3aWin32%2fOficla.H!dll&threatid=2147630489

Not really a lot of detail, so I checked Threat Expert and found a lot more detail for my geek friends:
http://www.threatexpert.com/report.aspx?md5=c3893927e6411c0b515b4edb0035aa0c

 

The morale(s) of the story

  1. Social Network sites like Facebook don’t email passwords
  2. Zip files with filenames ending in .exe are never a good thing
  3. Be careful clicking on links
  4. Don’t open and run attachments without having up-to-date malware protection software

 

Cheers!!

Comments are closed.




↑ Top