Furtive French photos feign as Facebook, but it’s a malware attack

Furtive French photos feign as Facebook, but it's a malware attack

Malware attacks spammed to your inbox, posing as intimate photographs, are nothing new of course.

We’ve seen plenty of examples of such tactics being used by cybercriminals in the past: topless supermodel photos used to spread Mac malware, photos of an English football star caught in the act with a prostitute offered by Facebook scammers, and complete strangers offering naked pictures as they hunt for a sex partner.

Unless you’re in a profession which makes it normal for complete strangers to email you naked pictures, chances are that you would find such messages slightly out of the ordinary.

Sign up to our free newsletter.
Security news, advice, and tips.

You might even suspect that some mischief was afoot.

But worryingly, many people would still find it impossible to resist clicking on the attachment to see more.

We have intercepted a malware campaign in the last 24 hours, which adds a Gallic flavour to things.

Here’s what a typical email looks like:

Malicious email written in quasi-French

Subject: Facebook

Message body:
Bonjour Man, [email address]

Je ne sais pas comment le dire, mais je n’ai tryed avant longtemps de vous envoyer quelques photos, mais j’ai pensé que vous n’êtes pas intéressé à me voir.
Mais maintenant, je vais vous envoyer les photos dans la pièce jointe.
Téléchargez les photos et ils extraient, je suis sûr que vous qu’ils aiment. Le mot de passe est: 123456

Passez une excellente journée.

Attached to the email is a file called DC24154.zip.

Clearly, the email above is written in French. But you may not realise that it is written in rather poor quality French.

Interestingly, the email uses the polite formal style of French (“vous” rather than “tu”), which considering its intimate subject matter is somewhat unusual. Chances are that whoever was behind the campaign is not a native French speaker, but has used an online translation tool instead.

If you cannot cope with the quasi-French, here is a translation supplied by my colleague Carole Theriault:

Subject: Facebook

Message body:
Hello [email address]

I don’t know how to tell you this, but I have tried for a long time to send you a few photos, but I thought that you weren’t interested in seeing me.

But now, I will send you the photos attached here in this email.

Download the photos and extract them. I’m sure that you will love them. The password is: 123456

Have a great day.

The malicious file has a Facebook-like iconInside the spammed-out ZIP file is a malicious file called DC24145.EXE, which has a Facebook-like icon and carries a (fake) digital signature claiming to be issued by German anti-virus firm Avira GmbH.

Sophos detects the malware as Mal/VB-AER and Troj/ZbotMem-B. The criminals behind the attack may have imagined that encrypting the ZIP with a password would have fooled anti-virus filters but they were mistaken. :)

French keyboardThose with long memories may recall that last year I warned about an English-language malware campaign that was spammed out last year in a very similar style.

Could it be that someone is taking a punt, and has simply taken the wording of an English malware campaign and converted it into French in the hope of finding new victims?

Whether you’re a Francophile or not, don’t allow malware to infect your computer. You should always be suspicious of unsolicited email attachments that are emailed to you out of the blue, and ensure that you have proper defences in place to protect against malware and spam threats.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.