New Facebook Phishing Attempts Capitalises on Account Deletions

facebook phishing.png

I got this lovely piece of Spam today from “Facebook” about my account deactivation… Now I must admit that I am not very fond of “the book” these days but I haven’t jumped on the “Delete My Account” bandwagon yet either. So I poked around this one a little more for some obvious signs of “phishing“. And sure enough, it was pretty rampant despite the proper spelling near perfect grammar.

First off the email came from: Facebook . Now most folks wouldn’t know it but there is now facebookmail.com web site. Beside this address is obviously spoofed as we can see in the long header or source of your email:


From: Facebook
Subject: You have deactivated your Facebook account
Date: June 7, 2010 3:18:19 PM EDT
To: Johnny Canuck <Johnny Canuck at 2FatDads dot com>
Delivered-To: Johnny Canuck at 2FatDads dot com
Received: by 10.xxx.yyy.z with SMTP id dg4cs37405ibb; Mon, 7 Jun 2010 15:34:15 -0700 (PDT)
Received: by 10.xxx.yyy.z with SMTP id b13mr15075587ybj.431.1275950054976; Mon, 07 Jun 2010 15:34:14 -0700 (PDT)
Received: from localhost ([194.135.105.232]) by mx.google.com with SMTP id e3si16328796ybi.10.2010.06.07.15.34.11; Mon, 07 Jun 2010 15:34:14 -0700 (PDT)
Return-Path: <– GIVEAWAY
Received-Spf: neutral (google.com: 194.135.105.232 is neither permitted nor denied by best guess record for domain of hedu@apu.edu) client-ip=194.135.105.232;
Authentication-Results: mx.google.com; spf=neutral (google.com: 194.135.105.232 is neither permitted nor denied by best guess record for domain of hedu@apu.edu) smtp.mail=hedu@apu.edu <– GIVEAWAY
X-Facebook: from zuckmail ([H7014Nyt8BBi]) by www.facebook.com with HTTP (ZuckMail);<– GIVEAWAY
Message-Id: <69bd6f1fbe0114ed6679c192b96a7991@www.facebook.com>
X-Priority: 3
X-Mailer: ZuckMail [version 1.00] <– GIVEAWAY
X-Facebook-Notify: deactivation_email; mailid=
X-Facebook-Priority: 0<– GIVEAWAY
Mime-Version: 1.0
Content-Type: text/html; charset = “UTF-8”
Content-Transfer-Encoding: 7bit

The lines with marked with the red giveaway should point you in the right direction of the dubious nature of this email. But it get even better. As you can see in the image above, hovering over the sign in button gives you the URL for a site in South Africa; ZA does not stand for Zuckerburg…

How did they do that? Magicians, No just evil bastards as the link implies
Next the link for Facebook.com actually points to another site as well. I must admit that they were very clever in making the link look as real as possible complete with all the official looking http:// stuff and all. Now I apologise for breaking this down like you were a four year old, but I’m going to post this on Facebook too so here we go:
When you click on a link you are never actually clicking on those words at all, but you are actually clicking on the code behind the link and it can point anywhere. Here, let me show you, this is a link to Google right? http://www.google.com . Try clicking on it, you will actually be taken to bing.com, Microsoft’s search engine. Sneaky huh? Well, not really, we used to do this all the time in the 90’s. These days most spammers will try a little harder to hide the actual link behind some javascript so hovering over it this in the picture above does nothing. But these guys aren’t that smart, or they were just lazy because they’re counting on Facebook users not knowing any better. (Yes, that was an intentional dig at Facebook users.)

Even the unsubcribe link will steal all your personal data and rape your kittens, Evil Bastards

So this is were it gets even better, or worse if you really don’t know what the hell you’re doing. So you think to yourself: I don’t want to get this kind of email again and hopefully you click the spam/junk button in your email client and never think about it. Or you don’t decide to unsubscribe. Bad move and you lose again, by now you have already sent these guys your bank details so they can get some inheritance money out of Nigeria and cut you in for 10% or even worse yet you click on one of these emails from your bank and spent 20 minutes trying to input your bank account number, social insurance number, date of birth, etc and there is now someone going by your very name, driving a very nice Jag in Macedonia and vacationing in the house you paid for in Tuscany.

1 comment