Cybercrooks Use Tumblr to Hit Facebook Users With Phishing / Malware Attack

FacebookFacebook may have lost some of its luster in the eyes of teenage users, but cybercriminals still seem to like it.

In fact, they seem to be such huge fans of the social network that they want to get as many accounts as they can, and have launched a phishing campaign to steal Facebook logins.

Oh, and spread malware.

The attack begins with a message sent from a Facebook friend – whose account has been compromised – claiming that they or one of their relatives have been the victim of a crime and they need help.

The alleged crimes & victims tend to vary, but the overall concept remains the same. Here’s an example of one of the messages:

2days agos 2 guys tried to steal my brother’s car. Does anyone of you know them? Here is there pics [LINK]

The link included in the message is a Tumblr page supposedly containing pictures of the perpetrators, but of course that’s not the real case.

Facebook users that click the Tumblr link are immediately redirected to a spoofed Facebook login page asking them to enter their username & password, plus the answer to a secret question. Unsuspecting users may fall for the trap since the domain for the fake page starts with “,” ex:


The phony login page will also attempt to run a Java applet and send the user to a fake YouTube page that prompts the user to download malware disguised as a video player.

Microsoft Security Essentials detects the threat as TrojanDownloader:Win32/Tofsee.D (“Tofsee”), a Trojan that will silently download & install additional malware if it successfully infects your computer. Currently only 10/48 antivirus engines are capable of detecting Tofsee.

Don’t Fall For This Attack

If you happen to receive a message like the one above, it is strongly recommended that you:

  • Do not click the link included with the message.
  • Delete the message if it was shared via chat (or report it as spam if it was posted on a wall).
  • Inform your friend that their Facebook account has most likely been compromised and they should change their account password immediately. Additionally, they should scan their computer with one of the antivirus programs capable of detecting the Trojan being spread through this attack.

Don’t forget to warn your family & friends about this scam!

[via ISC]

Like this post? Follow us online by liking us on Facebook, following us on Twitter (@sdpcfix), or circling us on Google+.