Facebook Password Reset Confirmation Email Scam - Part II

After posting yesterday about the Facebook Password Reset Confirmation Email Scam, I received another variant of this same facebook email scam with attached virus.

The second variant of the email scam had the same harmful virus attached, and a few new features. The second variant of the Facebook Password Reset Confirmation Email Scam is pasted below:

Subject: Facebook Password Reset Confirmation YYYY

Hey [email-username],

Because of the measures taken to provide safety to our clients, your password has been changed.

You can find your new password in attached document.

Thanks,

The Facebook Team.

What was interesting about this variant is that it had 2 distinguishing characteristics from the variant from the previous post:

1. The email was customized and sent to the username portion of my email address
2. The email contained some identifier in the subject line presumable to enable the email scam artist to better track responses and possible to perform multi variate testing on different variations of the same email scam

Both of these distinguishing elements of the Facebook Password Reset Confirmation Email Scam show some marketing prowess by customizing the message in #1 to build trust and increase the response rate and #2 which was done to presumably track responses, another sign of marketing prowess.

Key Takeaways:

Never, and I mean never open an attachment from an unknown source. Even if you think you know the source (Facebook in this case), unless the source is from a trusted individual definitely do not open the attachment.  Don't be lulled into a false sense of security just because the email is personalized to you.

For More Information:

Facebook does not, based on their own policies, send user passwords in file attachments on a password reset request. Based on a scan of other sites on topic, it appears that those who are fooled into opening the attachment to "view their new password" will in fact be launching a copy of the Bredolab Trojan as featured in a recent article on abc news entitled "Facebookers Beware: Fake E-Mail Contains Virus.".

Once installed, the trojan is able to download and install other components such as key-loggers to capture everything you type on your computer including usernames and passwords, as well as software designed to identify and capture password that are then forwarded to the email scam artist enabling them to monitor and control the compromised computer without any knowledge of the computer owner, while giving the information that need to commit identity theft and bank fraud.

Facebook Password Reset Confirmation! Customer Support Email Scam Virus

Due to the popularity of Facebook, with as many as 400M users by some accounts, email scam artists are using email scams targeted at Facebook users.

The following email was received recently:

From: Facebook Messages [mailto:networks@facebook.com]
Sent: Wednesday, March 17, 2010 12:55 AM
To: XXX@YYY.com
Subject: Facebook Password Reset Confirmation! Customer Support.

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.

You can find your new password in attached document.

Thanks,

Your Facebook.

Email scam analysis:

The first red flag should be that no legitimate social network, including Facebook, will ever reset your password for you without you requesting it. Secondly, they will never send you an attachment to open in order to receive a password that you requested be reset. You can bet that the payload of this email scam is a computer virus that will likely be a Trojan Horse used to steal passwords of your online bank accounts to be use in bank fraud to steal your money, credit card numbers and personally identifiable information that can be used to commit identity theft and steal your identity.

The email is clever in that it appears to be sent from networks@facebook.com which is not a real email address. This is what is referred to as email spoofing and is a commonly used trick by email scam artists to convince the targets of the email scam into thinking the email is from a trusted source, thus luring the unsuspecting victim to open the malicious attachment.

Key Takeaways:

Never, and I mean never open an attachment from an unknown source. Even if you think you know the source (Facebook in this case), unless the source is from a trusted individual definitely do not open the attachment. 

Another level of scrutiny that can be applied to email attachments is to evaluate the subject and make sure that it is consistent with the style of the sender since some viruses, once infecting a computer, will replicate itself and send copies of itself to any email addresses it can harvest from email address books stored on the infected computer, thus taking advantage of the trust factor in recipients receiving email from someone they know and trust. 


These email scams can usually be identified by subject lines that are not characteristic of the writing style of the email sender. For example, I would not expect to see an email attachment with the subject "attached 0 tasty ass video of you" from my mother. 


These subject lines and emails are created and sent automatically and by the infecting virus  once they infect the unsuspecting email scam victim that opens the malicious attachment, all without being noticed by the victim/user of the infected computer. Often times they are alerted to the situation first by an email of a friend or colleague who was infected by opening a malicious attachment received by the initial email scam victim.

More Information (The Nityy Gritty) 

When sending email to that address, the following delivery failure is received:

Note: Forwarded message is attached.

Delivery has failed to these recipients or distribution lists:
networks@facebook.com
The recipient's e-mail address was not found in the recipient's e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator.

---

Sent by Microsoft Exchange Server 2007

A closer inspection of the initial email scam header reveals the following information:

Return-path:

Received: (envelope-from )

Received: from 61.93.114.140 by odb.electricsheepcompany.com; Wed, 17 Mar 2010 

Email Scam Example | WILLIAM L.W. CHEUNG | williamcheung_jp@yahoo.cn

Email Scam:

Good Day To You My Friend.

It is understandable that you might be a little bit apprehensive because you do not know me but I have a lucrative business proposal of mutual interest to share with you. I got your reference in my search for someone who suits my proposed business relationship.

 I am Mr. William Leung Wing Cheung a South Korean, happily married with children; i work as an Executive Director of Hang Seng Bank Ltd, Head of Personal Banking. I have a confidential business suggestion for you. I will need you to assist me in executing a business project from Hong Kong to your country. It involves the transfer of a large sum of money. Everything concerning this transaction shall be legally done without hitch. Please endeavour to observe utmost discretion in all matters concerning this issue.

Once the funds have been successfully transferred into your account, we shall share in the ratio to be agreed by both of us. I will prefer you reach me on my private email address below (williamcheung_jp@yahoo.cn) and finally after that I shall furnish you with more information's about this operation. Should you be interested, please forward the following to me urgently:

1. Full names  

2. Occupation

3. Private phone number

4. Current contact address

Please if you are not interested delete this email and do not hunt me because I am putting my career and the life of my family at stake with this venture. Although nothing ventured is nothing gained.

Your earliest response to this letter will be appreciated.

Kind Regards,

Mr William Leung Wing Cheung.JP

Hang Seng Bank Limited

Hong Kong. {Asia}

Email: - williamcheung_jp@yahoo.cn

Analysis of email scam:

1. First red flag - email sent to To: undisclosed-recipients; this usually indicates that the email is bcc (blind carbon copied) to a whole bunch of potential bank fraud and identity theft victims solicited through SPAM email scams. On a BCC email, it is not possible to see who else is receiving the email; there would be no need to do this is the email were legit and not a scam as it would be addressed to you, the selected one
2. The email address of the sender williancheung@fastwebmail.it is different that the reply-to email address williamcheung_jp@yahoo.cn
3. The goal of email scam like so many other email scams is to secure recipient trust and basic contact information; the beginning of the email tries to proactively address some common sense concerns including why am I receiving this unsolicited email?
4. The email then tries to build trust in the fictitious sender by providing an official title - Executive Director of Hang Seng Bank Ltd, Head of Personal Banking
5. Like all similar email scams, this instance plays on the recipients propensity for greed to entice them to provide the send of the email their banking details so that the funds can be transferred to your account - more like the funds will be transferred out of your account - can you say Bank Fraud!
6. Three times the email scam requests that the recipient to keep the offer confidential (" confidential business suggestion for you," "Please endeavour to observe utmost discretion in all matters concerning this issue," "Please if you are not interested delete this email and do not hunt me because I am putting my career and the life of my family at stake with this venture"); the last request for confidentiality even plays the guilt card by insinuating that by sharing the details of this incredible, legal offer could put the email scam sender's family at risk.

Please, never provide personal information to someone that is emailing you with a "confidential offer." If you are not expecting an email from somebody, then scrutinize it carefully. Always apply a good deal of common sense and remember, if it sounds to good to be true, then it is. 

Email scam example | Mr.Kazim Obaid | United arab Emirates

The following email scam was recieved this morning to my business address. The email scam is particularly despicable in that it attempts to exploit victims of the EgyptAir Flight 990 crash of a regularly scheduled flight from Los Angeles to New York-Cairo which crashed on October 31, 1999.

The SPAM email scam receives even provides a real link to a legitimate BBC  news report of the tragic event of the crash of Flight 990. This is done to build trust through the appearance of some affiliation with BBC and to demonstrate that the subject referenced in the email scam is related to a real news story. The email references a deceased individual who is pictured in the BBC news story and claims to have funds from the named deceased which he would like to share with you.

The goal of the email scam is to get unsuspecting recipients of the spam email scam to respond, thus prequalifying them as a potential Internet fraud victim and easy mark. Once the recipient responds to the email which gets routed to the perpetrators masked email address (kazimobaid121@gmail.com - see below) , the potential Internet fraud victim will be asked for personally identifying information that can then be used by the perpetrator to engage in bank fraud and identity theft, all at the expense of the unsuspecting vicitm.


From Mr.Kazim Obaid


Reply-To: kazimobaid121@gmail.com (this is different that the sent from email address which should raise a red flag - the gmail address is where spam email scam perpetrator will access responses to email scam This is viewable only by inspecting the email header information which is masked by default by the software used to read email)

[spam email scam text inserted below]

From: "Mr.Kazim.Obaid"kazimobaid3@hotmail.com

Subject: From.Mr.Kazim.Obaid.

Date: Sat, 13 Mar 2010 04:09:26 +0400

To: undisclosed-recipients:; (anytime you see this in the To: line of an email message, this means that sender used the BCC (blind carbon copy) to send same scam solicitation to many different recipients)

Greetings From Dubai, [note that email scam is not addressed to any particular reciepnts by name this email is blasted to many potential Internet fraud victims]

This message might meet you in (utmost surprise),however,it's just my urgent need for foreign partner that made me to contact you for this transaction.I am a banker by profession from United Arab Emirates and currently holding the post of Director Auditing and Accounting unit of the bank.

I have the opportunity of transfering the left over funds($17.5million)our bank deceased customer late Richard Burson, who died on (Egypt Air Flight 990)along with his family on a plane crash below. http://news.bbc.co.uk/1/hi/world/americas/502503.stm. Hence i am inviting you for a business deal where this money can be shared between us in the ratio of 50/50 as a brotherhood.

If you agree to my business proposal.further details of the transfer will be forwarded to you as soon as i receive your return mail.

Respectfully

yours

Mr.Kazim Obaid

Email Scam Information Introductory Post

This blog serves as an email scam information resource to educate new Internet users about the common email scams and SPAM (i.e. unsolicted email - not to be confused with the tastey processed ham food in a can) used today to lure the unsuspecting Internet victims into providing their personal information to criminals participating in Internet fraud.

The goal of the content posted to the Email Scam Information blog is to expose common email scams used to perpetrate identity theft and bank fraud scams targeting new unsuspecting potential victims coming online each and every day. Hopefully you find this resource before falling victim to Internet fraud acheived by email scams delivered as spam.

The overarching principle when dealing with spam email is that if you don't know the source and did not request the information, DO NOT PROVIDE PERSONAL INFORMATION OR OPEN/SAVE ANY ATTACHMENTS - UNDER ANY CIRCUMSTANCES.

Posts to this blog will include real example emails that are sent to a real business email that was no doubt captured by one of the email capture programs available used to aggregate email addresses for the purposes of SPAM (i.e. unsolicited email), which in many cases, is sent illegally.

Comments and active participation are both encouraged. This includes sharing example emails and even more valuable, examples of situations where you were or know of a victim of an email scam. We are doomed to suffer repeat failure unless we learn from our [collective] mistakes!