Today I received an email from a friend with the subject: Remove my photo from FACEBOOK. On the body of the email it says:

“Hey, who gave you permission to post my photo at Facebook??? Be aware that I didn’t like that and I would like you to remove ASAP. Are you playing around with me?”

Under this paragraph a link pretending to be to the Facebook picture. Here it is the original email (in Portuguese):

image

Well, when I saw that I knew it was fake e-mail (a typical social engineering e-mail) and I also knew that if I wait a little bit, probably Hotmail will be redirecting this to my Junk Mail. But I was curious to understand what this was about, so I copied the URL to a lab environment that I have (isolated from my production network).

What happened?

I configured my TMG’s live logging to watch the particular client where I was doing the test and here it is what I saw:

1. A redirect from the short URL:

image

2. Another redirect from the target (notice my friend’s email address is on the GET Request:

image

3. Right after that this is what I see on my client workstation:

image

 

4. Immediately FEP 2010 opened the window below on the client workstation:

image

5. When I clicked show details this is what I got:

image 

A severe threat (Trojan) that was trying to land into my system. I was luck to have FEP 2010 fully updated and ready to mitigate such risk, however some users might not have that.

What about your friend?

The best thing you can do if you believe your friend is sending compromised content (probably because he was compromised) is to take an action to inform Hotmail that this happened. From Hotmail web interface you can flag that message saying that your friend was hacked:

image

…or you can also send the message to Junk folder and flag that your friend was hacked:

image

Keep yourself and your friends safe!