We have already discussed the Facebook phishing campaign. Now the scammers are using the phishing campaign not just for spamming but also for a “cocktail” attack.

• The scammers have targeted Facebook, telling them that the Facebook account passwords have been changed.
• The malware downloads a keylogger to collect credit card numbers, social security number, and other passwords from the victims’ machines.
• The malware pushes a fake security product, which disables many applications, such as Notepad, Wordpad, etc., until the bad guys are paid.

This phishing campaign attempts to convince users that the email comes from Facebook by forging the From: address.

The mail claims the password has been changed and that it is available in the attached zip file. Once the victims unzip it, they see a file with a spreadsheet icon. When the victim tries to open the file to look for a password, it drops the payload and deletes itself. Once the malware is installed, it establishes a connection to the attacker’s server through the HTTP port and attempts to download more payloads onto the infected machine.

The malware also downloads a keylogger and runs it covertly. The second attack hunts for any keystroke so that it can collect information such as the login ID password, credit card and socialsSecurity numbers, etc. The malware sends the data to a remote server through a backdoor it creates. But this is not yet the end of the game.

While this data theft occurs, the malware also tries to download a fake security product. The rogue application that enters through the backdoor will be covertly installed on the victim’s machine. Once installed, the fake product runs a service that kills almost all open applications: Notepad, Calculator, Registry Editor, Task Manager, and others. (It does not kill Internet Explorer because it needs IE to to communicate with the malware server.) After killing these apps, the malware shows a fake alert–claiming the application you’re trying to open is being used to connect to a malware server. (See image below.)

Phishing campaigns on social networking sites are not new. Scammers are not satisfied only pushing spam to sell “Canadian” pills. Now they also want to sell fake security products, and they need all of our passwords. With McAfee coverage, you’ll be protected against this cocktail attack.