Facebook Phishing (on first sight)

Three weeks ago, our spam traps received massive amounts of spam mails which looked much more like Twitter phishing. This Twitter scheme obviously doesn’t work anymore, as we now are seeing plenty of mails which look like Facebook phishing.

The mails seem to stem from “Facebook” and use unique sender addresses that look like “notification+<random chars>@facebookmail.com”.

Some observations about the current spam mails:

  • Almost all the spams we’ve seen come from Russia (the “received” headers show that the sender sits in russian networks)
  • There is always a fake Message-ID similar to the one from Facebook  : <something@www.facebook.com>
  • The header “X-Mailer: ZuckMail [version 1.00]” is always the same
  • There is an additional X-header called Errors-To with another email address at Facebook “notification+<other-random-chars>@facebookmail.com”

We asked ourselves why the cyber criminals do so much hassle with creating a phishing email in order to get redirected to an online pharmacy website. There are PROs and CONs if someone sends phishing emails using sites like Twitter and Facebook:

PRO: Using these sites which each having at least 100 million users worldwide, the spammers have the possibility to reach a huge audience. If even a 0.01% of the people buy something from those websites, then the operation was a success.

CON: Sending such a primitive phishing is a very bad idea because it is very simple to detect it. Practically, there is clear indication of phishing even for basic detection algorithms like those in Thunderbird.

Bottom line, the spammers are just trying everything to get some attention and therewith purchasers.

Sorin Mustaca
Manager International Software Development