The bottom falls out of Facebook email malware

Graham Cluley
Graham Cluley
@[email protected]

Email claiming to come from FacebookSophosLabs has intercepted a malware attack that has been spammed out, pretending to be a notification about a Facebook friend’s sexy video.

Although you may think that as the emails are written in Spanish, they are unlikely to trick many non-speakers to click on the malicious link contained within.

However, an embedded thumbnail of a semi-naked young woman may be enough for many to venture further without thinking of the possible consequences.

I’ve edited the screenshot below because even after blurring and pixellating, it still looked really rather rude. Anyway, you can still see enough of the email to get the gist of what to look out for in your inbox.

Sign up to our free newsletter.
Security news, advice, and tips.

Malicious Facebook email

Miiiii lindoooo!!! ahahahaha este videoo no se lo muestrezzz a nadiesss =$$$$ ziii ?? es solo para tiii!! porque ? yoooo te amoooo muxiiiisisisisizimoooo!!! me gusto muxo tu videooo te requiero montonezzzz!!!! porfiz cuando estez en..

This (very roughly) translates to:

Cutey! Ha ha ha.. don't show this video to anyone. It's only for you! Why? Because I love you! I liked your video a lot..

If you didn’t have your wits about you, you might be fooled into believing that you have accidentally found yourself caught between a sexy conversation between two latin lovers.

If you click on a link in the email, however, you are taken to a webpage that tries to download a file called Video_Multimedia.exe to your computer. Sophos intercepts that file as malware, identifying it as Troj/Agent-YGD.

TortoiseSVNCuriously, the executable file contains version information stolen from a legitimate application – TortoiseSVN, a client for Subversion, the Apache version control software.

Presumably the malware authors deliberately chose to steal information from a legitimate application in the hope that it would trick anti-virus scanners into believing that the file was safe.

It’s important to understand that these particular emails do not appear to have been sent via Facebook. Although they “borrow” Facebook’s logo and styling, they have been deliberately crafted to appear like a legitimate email notification from the social network.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.