A breakdown of a scam that starts with an email that looks like it has come from Facebook
I received an email that at first appearance looks to be from Facebook but the first clue that it’s fake is that it arrived at an email account that I’ve never used with Facebook (like I’d trust them with anything meaningful! pah). Here I take a look at the scam, the players and the played…
To start with click on the thumbnail to see a screenshot of the offending email so you can judge for yourself how convincing it is at first glance. The first paragraphs reads
“You have closed your Facebook account. You can regenerate your account at any time you decide by logging into Facebook with your used for registration login email address and password. After logging in you will be able to use the site as usually.”
It aims to provoke a panicked response from the reader in the hope that you’ll overlook the appalling grammar and start clicking links to save your precious Facebook account on the assumption that anyone with an email account must be using it for social networking.
The email sender’s display name says Facebook but that’s easily faked so we’ll move on. Most email tools will show you the sender’s email address either in plain sight, by hovering your mouse over the display name or clicking on the name. This email appears to have come from [email protected] but again this is trivial to fake so we won’t put too much weight on it just yet.
The financial-tracking.com website appears to be a legitimate US company but before we start pointing fingers we look at the header information of the email which includes some pointers that are more difficult to fake.
There are a few interesting snippets here. First is what appears to be the sender’s original IP address…
Received: from [126.96.36.199] (port=3699)
This IP address belong to an ISP in Ukraine not the US where financial-tracking is based and hosted. Second is what appears to be a sender’s email address earlier in the chain which belongs to a company in Netherlands…
(envelope-from <[email protected]>)
It’s not clear from the information available whether this email address has actually been used or whether it’s another spoof to further hide the sender’s true identity. It does however appear that an email feature on the financial-tracking website has been used to bounce out emails, suggesting a flaw in their setup. The sender is likely using several weak websites to bounce emails out to more people before getting blocked by the web’s defences. This is indicated by the header line…
X-PHP-Script: financial-tracking.com/sendmail.php for 188.8.131.52
Without access to various email and web servers there is not much more we can do to investigate where the email has come from so we look instead at where the email is trying to take us.
The headshot image used in the email is taken from a website inc.com and is probably a legitimate image that happens to look Facebook’ish so we’ll skip over that. All of the links in the email point to the same location regardless of what they appear to say. Hovering over a link will usually show you the true destination, either across the bottom of your screen or it will pop up around your mouse. Whenever you click a link you should take a moment to check that the website you’re taken to is what you expect, keeping in mind that the style of a website is easily copied and a website address can be crafted to look similar.
The links take you to a page hidden in the website of a company in Ecuador http://s**g.com/templates/beez/recover_profile.html so clearly you’re not going to arrive at Facebook as you would expect.
If you hit the target page and there’s something wrong with your web browser (or if you’re a geek and you’re looking for trouble) then you’ll see a page that looks like the screenshot on the right… Notice how it no longer mentions Facebook and uses generic language so the same page can be recycled in other scams. If nothing else this crook is efficient.
Otherwise when you hit the page you’ll be bounced to another website by one of two lines of code…
The website at the end of this redirect is registered in US seemingly by a named individual but again from the information available it’s not clear whether this is the culprit or another innocent victim being exploited. At the time of writing there is no website active at this web address but we don’t know if the website has not yet been made live or if it has already served its purpose and been removed by the villainous author.