Phish: Facebook

Here’s the e-mail:

Return-Path: <lwit@cableone.net>

Received: from www.bagcrafters.com ([74.208.166.151])

by mx.google.com with SMTP id c5si10832823vcx.28.2010.06.07.19.59.18;

Mon, 07 Jun 2010 19:59:19 -0700 (PDT)

Received-SPF: neutral (google.com: 74.208.166.151 is neither permitted nor denied by domain of lwit@cableone.net) client-ip=74.208.166.151;

Authentication-Results: mx.google.com; spf=neutral (google.com: 74.208.166.151 is neither permitted nor denied by domain of lwit@cableone.net) smtp.mail=lwit@cableone.net

Date: Mon, 7 Jun 2010 22:54:10 -0400

To: <jayras@gmail.com>

From: Facebook <noreply@facebookmail.com>

Subject: You have deactivated your Facebook account (5928)

Hi,

You have deactivated your Facebook account. You can reactivate your account at any time by logging into Facebook using your old login email and password. You will be able to use the site like you used to.

Thanks,

The Facebook Team

Sign in to Facebook and start connecting

Sign In

To reactivate, follow the link below:

http://www.facebook.com/home.php

OK, let’s see…

  • Header shows it’s from a cableone.net addres (FOR A WONDER!! It’s not Hotmail!!!)  Oddly enough, the SMTP Server used is from www.bagcrafters.com.
  • Link doesn’t go to Facebook.  It actually goes to: forsale.com.sapo.pt

On the whole, a VERY Dangerous Phish.

Looks to be an authentic copy of the actual deactivation e-mail one would receive from Facebook (And probably is.)

In this case, however, it’s not from Facebook.

The most dangerous part about this Phish is the emotional response it will generate.

A typical first response will be:

OMG my Friends!!! I’ve been hacked!!

I got to get online and post about this and warn everyone NOW!

And then click the Link.

Which would be the exact thing you shouldn’t do.

Social media has become so mainstream these days that most think of it as more important than e-mail.

These days the first thing people do when they get up and drink their coffee is check Facebook and/or Twitter.  Even before they turn on or read the news.

To many, it IS news of more import than what is in the paper.

So the idea of someone gaining access to your Facebook page and turning off your access is actually more frightening than if someone stole their car.

This e-mail is generated to get that exact response.  If one takes an extra 10 seconds to think about it, and get past the emotion you can come to two conclusions (Or at least the first one)

  • It’s a mistake
  • Someone is trying to trick me

Then if you stop and hover over the link you will see it doesn’t go to Facebook.

Luckily, Google is also smarter than the average bear, and is emotionless.  When I received this, it was preceded by a BIG red banner stating outright that this e-mail did not come from who it says it came from.  Google assisted in removing the e-mail further by putting this in my spam folder.

Hopefully your e-mail provider is equally as thoughtful.

One final word of warning:  It appears they were able to use the SMTP Server for “www.bagcrafters.com”  I’m assuming that is a valid website.  But if you have gone to that website I would be cautious, you could have caught something.  If you are planning on going there, I would take an extra precaution or two.  They may have been compromised.

  • Received again:

Return-Path: <claudia.colvil@wanadoo.fr>

Received: from www.bagcrafters.com ([74.208.166.151])

by mx.google.com with SMTP id b2si34725457rvn.71.2010.06.25.22.42.29;

Fri, 25 Jun 2010 22:42:30 -0700 (PDT)

Received-SPF: neutral (google.com: 74.208.166.151 is neither permitted nor denied by best guess record for domain of claudia.colvil@wanadoo.fr) client-ip=74.208.166.151;

Authentication-Results: mx.google.com; spf=neutral (google.com: 74.208.166.151 is neither permitted nor denied by best guess record for domain of claudia.colvil@wanadoo.fr) smtp.mail=claudia.colvil@wanadoo.fr

Date: Sat, 26 Jun 2010 01:36:40 +0600

To: <jayras@gmail.com>

From: Facebook Support <notification+fnqvkaidhxtc@facebookmail.com>

Reply-to: noreply <noreply@facebookmail.com>

Subject: Facebook Support sent you a message on Facebook…

One response so far

  • Mark says:

    bagcrafters is a scam and spam site. As of google they have it on their index like any other legit site, so no wonder why you have lots of people getting scammed.

    They haven’t yet promoted it in their top results and shopping list, so some of us we may get lucky and avoid it. But who know maybe they will upgrade it in the future.

Ͼ http://www.pthkm.com/xpjylc/ http://www.pthkm.com/bgylc/ Ͼֳ http://www.pthkm.com/pjylc/ ewinֳ http://www.ybewv.com/ewinylc/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ Ŷij http://www.aojxq.com/amdcgl/ bet http://www.lpmwq.com/bet365ylc/ ȫѶ http://www.wfgpb.com/qxwgw/ 188 http://www.ywiql.com/jbb188gq/ bet http://www.nwiza.com/bet365ylc/ 365 http://www.rvodp.com/bet365tyzx/ Ͼ http://www.yjzhv.com/smxpjgw/ Ͼij http://www.utssx.com/ampjdc/ ˹˶ij http://www.bkrft.com/amwnsrdc/ Ͼij http://www.bkrft.com/pjdc/ ƶij http://www.bkrft.com/yddc/ Ŷij淨 http://www.bkrft.com/amdcwf/ ȫѶ http://www.bkrft.com/qxwzx/ ˹ά˹ij http://www.fldwd.com/lswjsdc/ ζij http://www.fldwd.com/lwdc/ ŶijЩ http://www.fldwd.com/amdcynx/ ij http://www.fldwd.com/mddc/ ˹˶ij http://www.fldwd.com/wnsrdc/ Ͼij http://www.yuwew.com/amxpjdc/ ĥij http://www.yuwew.com/mddc/ ijϷ http://www.yuwew.com/dcyx/ ĥƽij http://www.yuwew.com/mdhjdc/ ĥij http://www.hgvnk.com/lwmddc/ Űټ http://www.hgvnk.com/ambjl/ ټϷ http://www.hgvnk.com/bjlyx/ ˰ټ http://www.hgvnk.com/zrbjl/ http://www.dnczv.com/bcw/ Ŷij http://www.ybewv.com/amdc/ ˰ټ http://www.eklhp.com/zrbjl/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/amdc/ ֳ http://www.yjzhv.com/ozylc/ Ŷij http://www.luyouren.com/aomenduchan/ bet http://www.lsylnj.com/bet365/ Ŷij http://www.lsylnj.com/amdc/ ټ http://www.lsylnj.com/bjl/ http://www.lsylnj.com/bcw/ ˹ http://www.lsylnj.com/wnsrylc/ Ͼ http://www.lsylnj.com/xpjylc/ ټ http://www.zytygb.com/baijiale/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinyulechen/ bet http://www.luyouren.com/bet365/ ټ http://www.luyouren.com/bjl/ Ŷij http://www.luyouren.com/amdc/ Ŷij http://www.luyouren.com/amduchan/ Ŷij http://www.luyouren.com/aomendc/ Ŷij http://www.luyouren.com/aomenduchan/ Ŷij http://www.luyouren.com/aomengdushang/ ewinֳ http://www.luyouren.com/ewinylc/ ewinֳ http://www.luyouren.com/ewinylchen/ ewinֳ http://www.luyouren.com/ewinylec/ ewinֳ http://www.luyouren.com/ewinyulc/ ewinֳ http://www.luyouren.com/ewinyulechen/ http://www.dnczv.com/bcw/ ټ http://www.dnczv.com/bjl/ bet http://www.dnczv.com/bet365/ ˹ http://www.pthkm.com/wnsrylc/