New Facebook phishing spam outbreak

In the recent past we saw emails looking like phishing mails, which were spam though actually.

The spammers tried to make them look as much as possible as official mails from the entity they were faking: Amazon, Twitter, Facebook, and so on. In the end, the target link was always redirected to a Canadian Pharmacy page.

Obviously, this type of email is not producing enough purchases anymore. We are now seeing massive amounts of emails pretending to be sent through Facebook, having a new format – the next twist in social engineering, trying to fool users into buying fake meds online.

The mails have the subject “<Full name> has sent you a message on Facebook” and the content is a “regular” picture from the meds spam.

Looking through the headers, we see clearly that there is nothing from Facebook there, except for the name. There are clear indications that the email has been sent through a botnet, and they use the standard link spoofing attempt (the user sees, but the actual target is different). Also important is the fact that the picture in the email is not attached to the email, but only referenced from a website. It seems that the spammers are pretty sure that their websites are no longer being shut down so quickly, because we see that they played everything on one card: The image is hosted on the same domain used for hosting the Canadian pharmacy website.

We checked about 100 different emails in this category and all of them use the same domain. We were curious and investigated who owns the domain – the domain is registered in China by a single registrar who owns 14 thousands other domains.

The Avira Premium Security Suite and Webgate customers are safe: The emails are marked as spam, and the URL is blocked.

Sorin Mustaca
Manager International Software Development