Facebook and Twitter Phishing (on first sight)

The source of the articles is in the Avira Techblog:
Twitter Phishing (on first sight)
Facebook Phishing (on first sight)

Twitter

Over the weekend our spam traps received a massive wave of emails looking like the one below:
phish

The emails seem to stem from “Twitter Support” (support@twitter.com) and are addressed each to exactly one unique email address. The link in the email seems to be unique for each email sent, too. Quite an effort to make the email look more legitimate. The target link is always a compromised website holding an html page.

Amazon: Bestsellers Electronics and Photo

After clicking on the URL, a multiple stage redirection takes place. On some of these redirection websites, the intermediate page raises alerts because our engine detects encrypted content in JS.

Finally comes the surprise: The target website at the end of the redirects is not a phishing website but a Canadian online pharmacy.
img1

For me personally this was a “Wow!” moment. Why did the spammers choose to send the emails as Twitter phishing? I think that the explanation is simple – they did it because nobody did it before.

As usual, users of the Avira Premium Security Suite and the users of our gateway products have no reasons to fear: the emails are detected as phishing and all target URLs are blocked.

Facebook

Three weeks ago, our spam traps received massive amounts of spam mails which looked much more like Twitter phishing. This Twitter scheme obviously doesn’t work anymore, as we now are seeing plenty of mails which look like Facebook phishing.

The mails seem to stem from “Facebook” and use unique sender addresses that look like “notification+@facebookmail.com”.
mail
Some observations about the current spam mails:

* Almost all the spams we’ve seen come from Russia (the “received” headers show that the sender sits in russian networks)
* There is always a fake Message-ID similar to the one from Facebook :
* The header “X-Mailer: ZuckMail [version 1.00]” is always the same
* There is an additional X-header called Errors-To with another email address at Facebook “notification+@facebookmail.com”

Amazon: Bestsellers Electronics and Photo

We asked ourselves why the cyber criminals do so much hassle with creating a phishing email in order to get redirected to an online pharmacy website. There are PROs and CONs if someone sends phishing emails using sites like Twitter and Facebook:

PRO: Using these sites which each having at least 100 million users worldwide, the spammers have the possibility to reach a huge audience. If even a 0.01% of the people buy something from those websites, then the operation was a success.

CON: Sending such a primitive phishing is a very bad idea because it is very simple to detect it. Practically, there is clear indication of phishing even for basic detection algorithms like those in Thunderbird.

img

Bottom line, the spammers are just trying everything to get some attention and therewith purchasers.

Short link: http://wp.me/p1Ipp-7s
Amazon: Bestsellers Electronics and Photo


© Copyright 2010 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check www.mustaca.com for the IT Consulting services I offer.
Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie http://de.itsecuritynews.info für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since year 2000 in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is an independent IT Security Consultant focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .

2 Comments on "Facebook and Twitter Phishing (on first sight)"

  1. I’m a consultant working with Palo Alto Networks; they have an excellent whitepaper on the subject of blocking social networking apps that you may have to worry about, “To Block or Not. Is that the question?” here: http://bit.ly/d2NZRp. It has lots of insightful and useful information about identifying and controlling Enterprise 2.0 apps (Facebook, Twitter, Skype, etc.) Let me know what you think.
    There is a very cutting edge webinar coming up that you can register for now. It delves into social media and the role it will play in the future of the business world http://bit.ly/cR80Al

    • Well Kelly,

      I agree that these technologies are very important, but what do you think after one of them introduces some malware in the company ?
      What do you think, will the company revise their policy about the Web 2.0 ?

      Sorin

Comments are closed.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close