The corporate slogan of Facebook is “Move fast and break things”. Our spam traps reveal that spammers have taken that to heart and are implementing features even faster than Facebook – except, of course, those features aren't real.
In January of 2013 Facebook added a feature to mobile apps that allows you to record a voice message to Facebook instant messaging conversations. Spam we're seeing in our honeypots takes this one step further and poses as a voice comment inserted directly into your timeline, something Facebook doesn't even do yet.
In English this says:
You have recieved a voice comment on your timeline.
Recording: To open the comment click on the link below. The content recorded is the responsibility of the user.
… with a button labeled Open Comment.
Fake multi-media messages are a fixture of Latin American spam, but we wouldn't be surprised at all to see this convincing-looking email translated into other languages, particularly English for the Norteños.
The payload is hidden behind the tiny.cc URL shortener and hosted on a dropbox account. A variant of Trojan.Graftor, aka Trojan.Swizzor, it is further disguised as a .cpl, a control panel extension, which is meant to be used by the Windows control panel but is in fact just another sort of Windows executable file. If run, it burrows into the victim's PC to steal passwords and respond to other remote commands.