Facebook friend added a new photo of you? Beware spammed-out malware attack

Graham Cluley
Graham Cluley
@[email protected]

Computer users are being warned to be careful about opening unsolicited email attachments, after a malicious Trojan horse was spammed out posing as a Facebook notification that the recipient is featured in a newly uploaded photograph.

The emails, which pretend to come from Facebook, look like the following (click here for a larger version of the image).

Facebook malware email. Click for larger version

Subject: Your friend added a new photo with you to the album

Sign up to our free newsletter.
Security news, advice, and tips.

Attached file: New_Photo_With_You_on_Facebook_PHOTOID[random].zip

Message body:


One of Your Friends added a new photo with you to the album.

You are receiving this email because you've been listed as a close friend.

[View photo with you in the attachment]

Photo tagging on FacebookOf course, the emails don’t really come from Facebook.

But there are surely many people who could be duped into believing that they have been tagged by one of their friends in a photograph, and want to see if they look overweight, unattractive or simply fabulous (delete as applicable).

Unfortunately, the attached ZIP file contains malware, designed to allow hackers to gain control over your Windows computer.

Sophos products intercept the malware as Troj/Agent-XNN.

Last month, experts at SophosLabs saw another malware campaign posing as a Facebook photo tag notification. On that occasion, the emails did not contain attachments but instead linked to compromised websites which aimed to attack visiting computers with the Blackhole exploit kit.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.