Facebook users are being hit with a one-two punch that launches both a phishing scheme and a banking Trojan on users' computers to steal information and login credentials, security researchers warned.
The Facebook phishing campaign malware is part of the global Zeus botnet, or Zbot for short, which is delivering about 1,000 phishing messages per minute per domain over about 30 domains. That translates into about 30,000 installed messages per minute, or 500 per second, according to researchers at security company AppRiver.
That's on top of the 1.65 million messages security experts have already seen as a result of the Facebook phishing campaign.
The Zbot phishing messages appear to be from Facebook in an attempt to trick unsuspecting users into downloading malware and submitting personally identifying or financial information.
During the attack, Facebook users receive an e-mail informing them that Facebook is updating its log-in system to make things more secure. The e-mail then urges them to click on what appears to be an update button embedded in the message.
"First of all, this should be enough anyone needs to see considering Facebook, your bank, or anyone else, doesn't need every one of their users' participation in order to update their product," according to an AppRiver blog post.
Once users click on the link, they are directed to a bogus Facebook log-in page, which convincingly has their username already filled in for them, but simply asks for their password to allegedly complete the update. In actuality, attackers behind the phony Facebook page are waiting to grab victims' login credentials once they are submitted.
Then, after "logging in," victims are taken to a page offering them an "update tool," which is, in actuality, the Trojan updatetool.exe. Once victims' click on the tool, their computers become infected with the Zeus Trojan, known for targeting banking accounts and designed to swipe personal and financial information.
The Zeus banking Trojan also targets mobile users, who receive a phishing e-mail resembling a legitimate-looking application installed as an actual Facebook security notification on their smartphones, which is also delivered to their e-mail inboxes.
"Stay away from these e-mails, Zeus or Zbot spares no effort in making their attacks appear to be genuine," AppRiver researchers said. "It is very important for you to protect yourself by being vigilant. Know that threats are out there, and they are indiscriminant."
To protect themselves against Zbot, the Zeus Trojan and other malware, users should avoid clicking on links embedded in e-mails if they don't personally know the sender, researchers advised.