Scammers are using fake Facebook password reset messages again, in order to peddle their fake antivirus software.
A recent email wave of image spam (meaning the text of the email is actually contained in an image, rather than normal email text) attempts to entice users to open an email attachment, purportedly a response to a request for a new password.
This file actually contains a variant of the Bredolab trojan, which installs fake antivirus software.
The image appears as the following text:
The image text translated to actual text, for the benefit of search engines:
Hey,
You recently requested a new password.
You can find your new password in attached file.
Please note that this email has been sent to all contact emails associated with your account.
If you did not request a new password, it's likely that another person has mistakenly
attempted to log in using your login.
As long as you do not click the link contained in the email, no action will be taken and your
account will remain secure.
For more information, visit our Help Center at http://www.facebook.com/help/?topic=login
Thanks,
The Facebook Team
The attached file is a zip compressed archive, which, when opened, contains the trojan.
The real problem with this particular variant is that it's only detected by 5 out of 41 scanners at virustotal.com: Authentium, AVG, the open source ClamAV, F-Prot, and Sophos.
The big 3 software packages - Norton, McAfee, and Trend Micro - and even the more popular of the smaller providers - NOD32, Microsoft, and Kaspersky - all completely miss it.
This goes to show that obtaining security software based on its relative popularity in the marketplace is not a sound method for keeping your computer safe.
The email claims to be from "Facebook Security", or "Facebook Support". The emails I've seen also contained names of supposed Facebook employees, undoubtedly fake also, such as "Adelberta Chizmar" and "Travis Cleave".
Beware of social engineering techniques such as this, and don't open any such attachment.