The corporate slogan of Facebook is “Move fast and break things”. Our spam traps reveal that spammers have taken that to heart and are implementing features even faster than Facebook – except, of course, those features aren’t real.
In January of 2013 Facebook added a feature to mobile apps that allows you to record a voice message to Facebook instant messaging conversations. Spam we’re seeing in our honeypots takes this one step further and poses as a voice comment inserted directly into your timeline, something Facebook doesn’t even do yet.
In English this says:
You have recieved a voice comment on your timeline.
Recording: To open the comment click on the link below. The content recorded is the responsibility of the user.
… with a button labeled Open Comment.
Fake multi-media messages are a fixture of Latin American spam, but we wouldn’t be surprised at all to see this convincing-looking email translated into other languages, particularly English for the Norteños.
The payload is hidden behind the tiny.cc URL shortener and hosted on a dropbox account. A variant of Trojan.Graftor, aka Trojan.Swizzor, it is further disguised as a .cpl, a control panel extension, which is meant to be used by the Windows control panel but is in fact just another sort of Windows executable file. If run, it burrows into the victim’s PC to steal passwords and respond to other remote commands.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. In this role, she helps bring Barracuda stories to life and facilitate communication between the public and Barracuda internal teams. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.