Tuesday, October 27, 2009
Security Warning: Facebook Fishing Attempt
All students of cyber-jutsu should be on guard against a recent fishing attack received by CyberCede Corporation.
The email looks official at first glance; but, we know Facebook would never send out such a message that was not at least first requested by the end user (you). The fishers are hoping that we open the attachment they have sent us, which is pretending to be a new password for us.
A closer examination of this email, in fact shows us that it is bogus. Here we are using Apple's Mail program. Within that application we can view the "long headers" as an option off of the "View" menu, by following the "Message" delta which opens a sub-menu. Users of other email programs should have some similar way to view more details regarding the transmission and receipt of the message.
We've blacked out some of the address particulars so as not to add to the amount of spam we are already processing, and I've circled the "Reply to" and "Return Path" fields in red. (see below)
We can see that the "Reply to" and "Return Path" fields are not consistent with the facade that this email is from Facebook.
We call this a "fishing attack", because the malicious agents are sending this email to potentially hundreds of thousands or more people in hopes that someone will "bite". Just like fishing, many fish may pass by the bait. All it takes is one big one on the hook to make the day pay off.
Exactly what the payload is, has not yet been determined. The payload is the file that they have sent. Since it is in "zip file" format, it could be a buffer overflow attack against a popular "unzip" program. Or the zipped file could be a less creative trojan horse or other malicious executable.
Regardless of what the payload is - we know this is not from Facebook. We all know to just delete the mail without replying to it or opening the attachment.