Mixed in with the fake Facebook password update email we reported yesterday is another, possibly more dangerous phish. Messages with subjects like “Facebook Update Tool” and “Facebook Account Update” are circulating. These are more typical phish, and they include a link to a fake account login page.

Most users, by now, know to be cautious of things like this in their inbox. For Facebook user with Blackberries, though, there’s another danger. There are reports, verified through experimentation by Stuart Paton, Senior Solutions Architect here at Cloudmark, that the Facebook for Blackberry app provided by Research in Motion can be fooled by these phishes. The app can be configured to monitor your Blackberry’s email inbox for alerts from Facebook; those alerts are then moved to the Facebook app’s internal inbox, which makes them appear to be legitimate. Users are much more likely to respond to these phishes when they appear to be coming directly from Facebook.

Our experimenting shows that these messages only show up in the Facebook for Blackberry app, and will not be seen if you log into your Facebook account through a web browser. Until Research in Motion and Facebook can issue a fix for this behavior, Facebook for Blackberry users should take care to verify that links in Facebook alerts are legitimate by viewing their Facebook inbox in a web browser.

(Thanks go to Stuart Paton for researching this issue, and for providing screenshots of his Facebook inbox for this article)

Facebook users may be able to relax a little – the Facebook/malware messages that we reported yesterday are starting to morph to other social networking sites. Starting around 10AM Pacific time today, Cloudmark started to see the subject of those messages change to “Myspace Password Reset Confirmation”. Aside from changing “Facebook” to “Myspace” throughout the messages, they’re the same thing, and they still carry a .zip file that will try to add your computer to the Bredolab botnet. As with Facebook, Myspace is a victim here, as well, and is not responsible the messages.

It’s probable that we’ll see this morph again in the next few days, so users should be especially wary of messages purporting to be from the social networks. Cloudmark’s systems have already generated fingerprints for these messages, and Cloudmark customers are being protected from this mutation.

The last three days have seen a sharp uptick in social engineering, as one or more of the malware distributors are, once again, playing on the popularity of Facebook to convince people to open their email. Emails with the subject “Facebook Password Reset Confirmation” have been flooding inboxes over the last few days, enticing people to open a zip file which purportedly contains the user’s new password. Of course, it contains no such thing – the zip file is actually just another piece of malware. Samples that I have looked at include what Kaspersky is identifying as “Packed.Win32.Krap.w”, a trojan designed to download and install other programs without the user’s knowledge. ZDNet’s coverage is calling this the return of the Bredolab botnet, known to be responsible for both spam and identity theft.

Cloudmark saw these emails starting just before 1PM Pacific time on Monday, October 26th. By mid-day Tuesday, October 27th, almost half a million attempts had been made to deliver copies to mailboxes protected by Cloudmark Desktop, and by mid-day Wednesday, October 28th, that number had risen to almost three-quarters of a million. Cloudmark Desktop protects almost 2 million active mailboxes.

I cannot stress enough – these emails are not coming from Facebook, and they do not mean that your Facebook account has been taken over, or that someone is trying to get your password. The emails are coming from already compromised computers from all over the world, and all they are trying to do is to add your computer to the growing legion of bots. Facebook, unfortunately, is just another victim here; they can’t stop bad guys from using their name to dangle as bait in front of you.

You can take several steps to protect yourself. Make sure your anti-virus is up-to-date, and consider running more than one flavor of anti-virus or malware detector. Do not open attachments you’re not expecting. Use different passwords for all of the websites that you use so that, even if one is compromised, others can’t be.