More Facebook Phishing

We’ve talked before about how the Internet threat landscape has changed over the past few years. Increasingly, malware is being distributed, not by sending you an infected email attachment, but by trying to entice you to visit a Web site that will drop the malware onto your computer. It should be no surprise to anyone that, given the explosive growth of Facebook, and given the fact that the fastest growing segments of Facebook users are people who are not “power users,” and who probably don’t know a lot about Internet security, these people are obvious targets for the bad guys.

Here’s a classic “phishing” example – one that recently showed up in my email. Let’s break it down and look at the things that are not quite right about it, and perhaps it will help you spot similar attempts in the future. As you read through this post, you may want to open the images in separate windows, so you can easily see what we’ll be discussing here.

If you’ve got a presence on Facebook, you’ve no doubt received one or more email messages that look like this (I’ve blanked out stuff that might identify the specific Facebook friend who sent me the message):

There are some things that are consistent across all of the legitimate notification messages that I’ve received:

• The subject line contains the name of the person who sent me the message (“so-and-so sent you a message on Facebook”).
• The first line in the message itself also contains the name (“so-and-so sent you a message”).
• The name is repeated yet a third time next to the sender’s profile pic, along with the time stamp of when the message was sent.
• The text of the message is included in the email.
• The hyperlink that’s provided (“To reply to this message, follow the link below”) contains the email address that’s associated with my Facebook account.
• The footer repeats my email address (“This message was intended for…”), and the big, long, cryptic number that’s provided in the unsubscribe link is the same big, long, cryptic number that was in the reply link.

Now, let’s look at the phishing message:

First of all, although this isn’t obvious by looking at the message, this email was sent to my personal email address, which is not the address that’s associated with my Facebook account. That was my first clue that something wasn’t right. But let’s look at all the other discrepancies:

• The subject line just says “You have 1 unread message(s)…” with no indication of who may have sent the message to me.
• In the body of the message, instead of the sender’s name, it just says “Facebook” sent you a message.
• There is no time stamp provided.
• The text of the message itself is not included – because, of course, the sender wants me to click on the link provided to see what it is.
• The hyperlink provided does not include my email address.
• The hyperlink is “cloaked,” that is, it doesn’t go to the location it claims to go to. As you can see, when I hovered my mouse over the link, the pop-up window showed that the hyperlink actually went to a totally different destination that had nothing to do with Facebook.
• The footer does not contain the “This message was intended for” text with my email address
• The unsubscribe link simply says “click here” rather than being specifically associated with the message ID.

Now that I’ve pointed out all of the differences, it’s probably pretty obvious that this isn’t a legitimate message – but taken one by one, the differences are all pretty subtle. Would you have spotted them if I hadn’t pointed them out? All in all, this is a relatively well-crafted phishing email, and I have no doubt that lots of recipients would click on the link provided without even thinking about it. And here’s what would have happened:

According to Google’s “Safe Browsing” diagnostics, 10 different pages within this domain were designed to drop malware on the visitor’s PC without their knowledge or consent: five scripting exploits, two other exploits, and one trojan.

The moral of the story is that you should always be suspicious of links that are sent to you by email. I used to own a motorcycle, and I always tried to drum into my kids the concept that, in order to survive as a biker, you have to ride with a certain amount of paranoia: you must assume that you’re invisible, and the other motorists can’t see you…and those who can see you are out to get you. Unfortunately, we’re at the point where the same kind of paranoia is required to stay safe on the Internet. Yes, in most cases, there are subtle clues that you can spot if you know what to look for. But you’re probably better off to simply assume that any message you receive is a phishing attempt unless/until you can determine otherwise.

And if there’s ever any question in your mind, don’t click on the link. You can always open a browser, type in Facebook’s URL manually, and check to see if you actually do have any messages instead of clicking on a link in an email. Same with email messages that purport to come from your bank.

Remember: just because you’re paranoid doesn’t mean that they aren’t out to get you!