H-Online: fb-malwareA new type of phishing strategy, which aims to trick unsuspecting users into installing a trojan by pretending to be an account cancellation request from Facebook, has been discovered by Sophos. The email messages link to a third party application on the site that will install a Java applet and then prompt the user to update their Flash player, but will actually deliver the trojan malware.

The email messages that are sent out claim to be from Facebook and state: “We are sending you this email to inform you that we have received an account cancellation request from you.” However, Facebook never sends such account cancellation confirmation messages via email. Users who want to cancel their Facebook account can do so by visiting facebook.com/deactivate.php to deactivate their account; they may later delete it after a cool down period has passed.

The malware preys on the fact that many users value their Facebook account highly and do not want it to be deleted. If they follow the link, they get prompted to install a Java applet. If they choose not to do so, the application will keep nagging until the user agrees to the applet being installed. Next, the user will see a message that they need to update Flash Player – this will actually install a trojan onto the system which allows the hackers to take over the machine and integrate it into a botnet. According to Sophos, the most commonly installed trojans are SpyEye-B and Agent-WHZ.