Trolling, trolling, trolling, RawHide!
May 26, 2009 9:47 AM   Subscribe

What is the attack vector on this apparent facebook phishing email?

I received the following email (twice actually) this morning:
Hey Foo,

You recently registered for Facebook. To complete your Facebook registration, follow this link:

http://www.facebook.com/c.php?code=520372293&email=FooBar%40googlemail.com

Facebook helps you communicate and stay in touch with all of your friends. Once you join Facebook, you'll be able to share photos, plan events, and more.

Thanks,
The Facebook Team


Where Foo Bar is my real name and foobar@gmail.com is one of my email addresses. I don't have a facebook account and haven't tried to sign up for one. The link text matches the hover over text in Mozilla.
posted by Mitheral to Computers & Internet (14 answers total)
 
Maybe someone signed "you" up? Or maybe someone with the same name as you signed up and forgot what their correct email adress is? I regularly get emails to my email fbar@gmail.com when really THEIR email address is fredbar@gmail.gom or francesbar@gmail.com. (and yes, even from the people themselves!)

Tho I guess if it is a real phishing email, they can also change the hover status bar message with javascript, so you could check the source code.
posted by ClarissaWAM at 10:01 AM on May 26, 2009


If that is the actual URL, someone just created a Facebook account with your name and e-mail. They probably clicked the 'reset activation email' link (or whatever its labeled) which sent the duplicate message.
posted by wongcorgi at 10:02 AM on May 26, 2009


is that the actual link or is that the text you see? if that is the actual link... then it isn't an attack, as you are going to the real facebook domain...
posted by fozzie33 at 10:02 AM on May 26, 2009


Well, Facebook encourages you to add friends by giving the site access to your email account, encourages you to buy things with a credit card, and encourages you to spread how great it is to other people. These phishing attempts are looking for suckers to add all that information to a fake page.

Can you right click on the link and "copy link location" and see if that redirects to another site?

The spammers might well have gotten your name from a person who allowed Facebook to access their email account to find friends , and then the Facebook account was compromised.
posted by Science! at 10:07 AM on May 26, 2009


You CAN change hovertext for a link, so as Science! says, the right click, "Copy Link Location" (or whatever your specific browser or e-mail client has) will help with that (paste it in Notepad or something not in a web browser).

Also there is the remote chance your hosts.ini file has been compromised, so even if you go to facebook.com you may be going to a fake site.
posted by arniec at 10:35 AM on May 26, 2009


The HOSTS file issue isn't realistic, because it wouldn't come hand-in-hand with a phishing email. That is to say, even if it had somehow occurred, it would be unrelated to this email. And highly unlikely. And extremely coincidental.

It just sounds like someone created a Facebook account with your name and one of your email addresses. Go create a Facebook account with another one of your email addresses and see if it's the same.
posted by disillusioned at 11:31 AM on May 26, 2009


Response by poster: Copy link location gives the same URL.

I went ahead and created a facebook account with the username FooBar@gmail.com so it was available which eventually resulted in the following confirmation email:

Hey Foo,

You recently registered for Facebook. Please confirm your account by clicking this link:

http://www.facebook.com/confirmemail.php?e=foobar%40gmail.com&c=20####371

Thanks,
The Facebook Team


Confirmation Code #: 20####371

___
Think these notification emails are for someone else? To report this account, go to:
http://www.facebook.com/confirmemail.php?e=foobar%40gmail.com&c=20####371&report=1


So similar yet significantly different. The solicitated facebook email URL has a different structure and includes the report text at the bottom plus the confirmation code in plain text.
posted by Mitheral at 12:02 PM on May 26, 2009


Hm odd. I just went and dug out my own Facebook Registration Confirmation email (yay for Gmail & never deleting anything) and it's exactly like your first one:
Hey Clarissa,

You recently registered for Facebook using this email address. To complete your registration, follow the link below:
http://www.facebook.com/c.php?code=10xxxx31&rt=2&email=myaddress%40gmail.com
(If clicking on the link doesn't work, try copying and pasting it into your browser.)

If you did not register for Facebook, please disregard this message.
Please contact info@facebook.com with any questions.

Thanks,
The Facebook Team


Didn't you get the 2nd one because someone HAD already registered you? Maybe that's why it's slightly different?
posted by ClarissaWAM at 12:11 PM on May 26, 2009


Ok scrap that, only the beginning is the same. Perhaps they have different versions?
posted by ClarissaWAM at 12:12 PM on May 26, 2009


Check the headers. In gmail, this is accomplished by clicking "show details" upper-right of the message. Take a look at who actually mailed it, which has no causal relationship to what the From header displays. All my facebook email is being sent via facebookmail.com.

If it's some unknown host, I suppose it could be an attack of some sort, but I can't figure what it would be, since it sends you to a real url on facebook. Perhaps there is some javascript or IDN trick that gmail is filtering out, making it look harmless.

I think more likely, someone is just a dumbass and keeps using your email to sign up. You would not believe how many people do this. I have a really super-common name. Back when gmail was still beta and only employees got invites, a friend of mine hooked me up with an account, so of course I swooped on just using my real name. I now gets 20-30 emails a week that are simply sent to the wrong address. We're talking embarrassingly private stuff like nude pics, cc numbers, people's resumés, students late homework, craigslist responses. Some people serially give out my email address instead of theirs. It is maddening. I sometimes fancy they are this irresponsible with their phone number and can't figure how they get anything accomplished.
posted by cj_ at 5:13 PM on May 26, 2009


Anyway, if it's really from facebook, you should see this when you do show details:

mailed-by facebookmail.com
signed-by facebookmail.com
posted by cj_ at 5:15 PM on May 26, 2009


Seconding the need to see the mail headers. In GMail, you can first select the message. Then click on the small triangle to the right of the "Reply" button, and from the menu that appears,
choose "Show original". A new window will show the full message and headers.
posted by procrastination at 5:41 PM on May 26, 2009


Response by poster: cj_ writes "I think more likely, someone is just a dumbass and keeps using your email to sign up."

Always a possibility.

I had a look in the headers before posting the question and didn't see anything weird, here they are for those who might be interested:
From - Tue May 26 04:33:38 2009
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Delivered-To: foobar@gmail.com
Received: by 10.90.63.19 with SMTP id l19cs468500aga;
Tue, 26 May 2009 04:28:46 -0700 (PDT)
Received: by 10.114.14.8 with SMTP id 8mr17066891wan.76.1243337325505;
Tue, 26 May 2009 04:28:45 -0700 (PDT)
Return-Path:
Received: from mx-out.facebook.com (outmail017.snc1.tfbnw.net [69.63.178.176])
by mx.google.com with ESMTP id 35si9063519pxi.48.2009.05.26.04.28.44;
Tue, 26 May 2009 04:28:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of register+AbWVsdmlud2lsbGlzQGdvb2dsZW1haWwuY29t@facebookmail.com designates 69.63.178.176 as permitted sender) client-ip=69.63.178.176;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of register+AbWVsdmlud2lsbGlzQGdvb2dsZW1haWwuY29t@facebookmail.com designates 69.63.178.176 as permitted sender) smtp.mail=register+AbWVsdmlud2lsbGlzQGdvb2dsZW1haWwuY29t@facebookmail.com; dkim=pass header.i=@facebookmail.com
Return-Path:
DKIM-Signature: v=1; a=rsa-sha1; d=facebookmail.com; s=q1-2009b; c=relaxed/relaxed;
q=dns/txt; i=@facebookmail.com; t=1243337317;
h=From:Subject:Date:To:MIME-Version:Content-Type;
bh=I4jgEnblUmwSTHGa/CMuON0XEUE=;
b=MAWE7OVl/mibwoMIWEufG0bI0pOazQYwroFTQ1TrSsW6kIZbrK7c5dGEfZmsET5e
G/bgHMCGR0hgB9w72zp03g==;
Received: from [10.18.255.176] ([10.18.255.176:41512] helo=www.facebook.com)
by mta006.snc1.facebook.com (envelope-from )
(ecelerity 2.2.2.37 r(28805/28844)) with ESMTP
id E5/0E-28238-562DB1A4; Tue, 26 May 2009 04:28:37 -0700
X-Facebook: from zuckmail ([OTQuMTk2LjE5OS4yMjQ=])
by www.facebook.com with HTTP (ZuckMail);
Date: Tue, 26 May 2009 04:28:37 -0700
To: foobar@googlemail.com
From: Facebook
Subject: Facebook Account Confirmation
Message-ID: <9>
X-Priority: 3
X-Mailer: ZuckMail [version 1.00]
X-Facebook-Notify: reg_confirmation; mailid=
X-FACEBOOK-PRIORITY: 1
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
posted by Mitheral at 5:51 PM on May 26, 2009


That is a bona fide email from Facebook.

I can't explain the different email text, but I doubt it's important. My guess? They use a different template if it is the first time you tried to sign up with an email address ("Facebook helps you communicate and stay in touch with all of your friends."), and a disclaimer if the same address is used again while a confirmation is still pending ("If you did not register for Facebook, please disregard this message").

Also they have multiple content delivery networks, variations in the email template could just be a syncing issue.
posted by cj_ at 6:06 PM on May 26, 2009


« Older Just not that into me?   |   How big can a dog get? Newer »
This thread is closed to new comments.