Malware Tied to Blackhole Exploit Kit Appears as Facebook Tag Alert

If you find some random person says they’ve tagged a Facebook photo with you, think twice before you investigate further. SophosLabs has discovered malware infecting machines by getting users to open a malicious link in a fake Facebook e-mail notification.Everything looks legit about the alert with one big exception: the domain name for the sender’s URL is Faceboook.com, not Facebook.com.

Blackhole exploit kitIf you find some random person says they’ve tagged a Facebook photo with you, think twice before you investigate further. SophosLabs has discovered malware infecting machines by getting users to open a malicious link in a fake Facebook e-mail notification.

Everything looks legit about the alert with one big exception: the domain name for the sender’s URL is Faceboook.com, not Facebook.com.

“If you click on the link in the email, you are not taken immediately to the real Facebook website,” Graham Cluley writes in a blog post. “Instead, your browser is taken to a website hosting some malicious iFrame script (which takes advantage of the Blackhole exploit kit, and puts your computer at risk of infection by malware).”

Those who do click the “See Photo” button in the email are taken to the malicious site and before they can react, their browser redirects them to a random, unknowing person’s Facebook page and not the page of the person who supposedly sent the email. 

Sophos says the malicious code is Troj/JSRedir-HW and is continuing to investigate.

Suggested articles