New phishing-spam waves using Facebook as bait
We have started to see again a large increase in the amount of emails pretending to come from Facebook. There are two types of emails which are being sent in large amounts currently. Both of them use classical types of social engineering techniques.
The first type is using the old trick with “the photos”. The final target is a website where SMSes can be sent for “free” (note the quotes). I would like to emphasize again that there is nothing out there for free. Even if you don’t pay for it, those who offer the service (or whatever is given for “free”) do get something in exchange. It might be your telephone number, your email address or something similar which is worth a lot on the Internet.
The second email wave uses the old trick with “notifications” from Facebook. The target website is a Canadian Pharmacy website in a new design.
By analyzing the headers of the two messages, we find already known techniques, which were used in the previous outbreaks using some known names as bait. The email headers are very well constructed by adding a lot of entries which make the email look as close as possible to the original Facebook mails.
Fake headers | ||
---|---|---|
Received: from [10.18.255.135] ([10.18.255.135:59076]) by mta016.snc1.facebook.com (envelope-from <[email protected]>) (ecelerity 2.2.2.45 r(34067)) with ECSTREAM id DE/6C-10257-74CA947F; Thu, 16 Sep 2010 23:15:00 -0700 X-Facebook: from zuckmail ([MTI3LjAuMC4x]) by www.facebook.com with HTTP (ZuckMail); Date: Thu, 16 Sep 2010 23:15:00 -0700 To: From: Facebook <[email protected]> Reply-to: Facebook <[email protected]> Subject: [Definitely Spam?] You have notifications pending Message-ID: <[email protected]> X-Priority: 3 X-Mailer: ZuckMail [version 1.00] X-Facebook-Camp: stale_email X-Facebook-Notify: stale_email; mailid=d2005b860446af88a804a830f15e92 Errors-To: [email protected] X-FACEBOOK-PRIORITY: 1 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=”b1_53365abd632d6d52eed06318304b59c1″ </td> </tr> </table>
|
Leave a comment