Zbot Trojan Spreads By Fake Facebook Friend Request

New wave of fake Facebook emails leads to malware-contaminated websites

August 31, 2011

1 Min Read


THALGAU, Austria, Aug. 30, 2011 /PRNewswire/ -- Every Facebook user is familiar with the friend invitation via email on Facebook. The malware analyst team of security expert Emsisoft has now revealed that cyber criminals make use of this system to infect users with malicious software.

Especially fraudulent emails with the subject "Kaamil Mahmoud wants to be friends on Facebook" do not lead to the original Facebook website, but to a fake one as soon as the recipient clicks the "Confirm Friend Request" link.

The fake Facebook page shows the message "Your version of Macromedia Flash Player is too old to continue. Download and install the latest version of Adobe Flash Player". By clicking on "Download and Install", the browser will download a malware file named updateflash.exe - it contains the Zeus trojan, also known as Zbot.

Unfortunately, not executing the file does not mean the victim escapes infection, as the fake Facebook page will also load another address (like hxxp://vampirefishsd.com) in the background. An exploit script being part of the BlackHole Exploit Kit runs on this website.

Christian Mairoll, CEO at Emsisoft: "We advise people to update their operating system and all applications regularly, including security programs. Second, everybody should be careful with suspicious emails: those from Facebook always contain the name of the user and all links point to the legitimate Facebook website, of course. The safest way is to open Facebook manually in the browser and have a look at new friend invitations there."


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights