Beware Fake Facebook Friend Requests, Leading to Malware
Tonight I received what appeared to be a Facebook Friend Request, but it was addressed to an account not associated with Facebook. It was also suspiciously marked with gray icons in MailWasher Pro. This indicates that the anti-spam program wasn't sure if it was good or bad. That set off my alarm bells, because I have a custom filter that identifies all legitimate messages from Facebook as Good.
Luckily for me, I am a spam fighter and suspicion is my modus operandi. Had I been a casual computer user I may have curiously clicked on the link in this email and had my computer infected with a fake Flash Player update, plus an exploit attack kit, within seconds! Then I would have been Phished with a fake Facebook login page! Here is what I saw and what the source code revealed about the email message.
First, the headers:
Delivery-date: Sun, 21 Aug 2011 21:36:18 -0600
Received: from [123.236.135.113] (helo=ZDIHFSM)
my own server details removed
Received: from mta900.em.linkedin.com (mta900.em.linkedin.com [63.211.90.176])
by mail.rctengineering.com (8.13.8/8.13.8) with ESMTP id 2714Y3V654427
for
Date: Mon, 22 Aug 2011 09:05:39 +0530
Subject: Zaahid Ababneh wants to be friends on Facebook.
From: Facebook <notification+gugsche@facebookmail.com>
Look at the bold portions of the above headers The first bold line contains the date when this email was delivered to me, by my email server, which is in Utah:
Sun, 21 Aug 2011 21:36:18 -0600
Directly underneath the arrival date is the last Received From line, indicating that the email was delivered to me from the IP address 123.236.135.113. If this email really came from Facebook, the IP address would resolve to one with facebook.com in a "Whois" look-up, and in a reverse IP look-up. However, running a Whois check on this IP address revealed that rather than belong to Facebook, it is registered to Reliance Communications, in Mumbai, India!
Moving down to the next Received line, it says that the email was relayed through LinkedIn. Now, why would Facebook need to use LinkedIn servers? They absolutely would NOT. Also, note that the email was handed to the LinkedIn mail server by the rctengineering.com domain, not Facebook. That domain belongs to a Bell South customer!
Now, look at the date when the email was relayed through the alleged LinkedIn server: Mon, 22 Aug 2011 09:05:39 +0530. That date is almost 12 hours in the future from when my email server in the USA received the message. I ran a look-up of timezones and found that +5:30 belongs to India. That coincides with the IP address of the Received From line at the beginning (which is the final email hand-off). That proves that the message did indeed come from India and was not associated with any Facebook email servers in the USA, or anywhere else.
More...
Another giveaway is the name in the email address of the sender of the notification. It is almost always somehow related to the actual name of the person wishing to become friends with a Facebook user. But, this time, the name in the email address prefis was nothing like the Arabic name in the Subject line. Rather, it was "gugsche"
With so much wrong in the headers I took a look at the source code in the message body. After scrolling down through numerous lines of code and images, I finally arrived at the payload link, near the bottom. The anchor text (text inside the opening and closing link codes) said "Confirm Friend Request" - but, the actual destination of the hidden hyperlink was not to anywhere on Facebook.com. Instead, the link pointed to "session74815472744961.pmstdl.com/confirm/req/" (hovering over the link reveals this)
When I investigated this link, using a safe, non-exploitable browsing tool and a Whois Look-up, I found that the domain belongs to a Russian person, going as Aleksei O Zhukov, in Moskovskaya Oblast, Russia. Every time I reloaded the link form the email, I ended up on a different IP address, hosting the exact same fake Facebook Login Phishing page. Rotating IP addresses is a common trick used by Phishing scammers and drug spammers, to protect against total takedown of their criminal operation.
For the tekkies among you, the landing pages are all running Russian Nginx web servers.
There is a hidden iframe on the landing page, leading to exploit attacks on your browser. Furthermore, there is a fake Flash movie area, with a missing plugin notice and a link telling you to update your Flash Player. That update, titled "updateflash.exe" - leads to a malware infection you will regret. It is hosted on that very website, although it claims you will be updating at adobe.com. NOT!
Anybody who is tricked into clicking on the link in these fake Facebook Friend Requests is treated to three criminal exploits.
- your Facebook credentials are stolen and used by spammers and malware distributors
- Your browser is assaulted with a crimeware exploit pack
- You are tricked into installing fake/rogue anti-virus, or similar worthless software, which will claim that your PC is infected and will demand payment to clean the infections
While your PC is held hostage by the fake security program you thought was a Flash update, a botnet will be installed in the background and possibly a key logger, to steal your online banking credentials.
My advice to anybody receiving a Facebook Friend Request, is to find out how you can display the complete headers and look over the information contained in them for inconsistencies. If it says Facebook, but the Received From mail servers are not from facebook.com and a Whois look-up of the IP of the sender is not assigned to facebook.com, it is a scam. Hover, but don't click over any links to accept the request and read the actual URL destination in your email client's, or browser's status bar, on the bottom. If the first section after http:// and ending with the first forward slash (/) is not facebook.com, it is a hostile link. Delete the email immediately!
Stay safe my friends (Facebook and other)!
NB: I used MailWasher Pro to screen this and all incoming email. It can show the entire source code with the click of a button.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.