Facebook and Twitter Phishing (on first sight)

The source of the articles is in the Avira Techblog:
Twitter Phishing (on first sight)
Facebook Phishing (on first sight)


Over the weekend our spam traps received a massive wave of emails looking like the one below:

The emails seem to stem from “Twitter Support” (support@twitter.com) and are addressed each to exactly one unique email address. The link in the email seems to be unique for each email sent, too. Quite an effort to make the email look more legitimate. The target link is always a compromised website holding an html page.

Amazon: Bestsellers Electronics and Photo

After clicking on the URL, a multiple stage redirection takes place. On some of these redirection websites, the intermediate page raises alerts because our engine detects encrypted content in JS.

Finally comes the surprise: The target website at the end of the redirects is not a phishing website but a Canadian online pharmacy.

For me personally this was a “Wow!” moment. Why did the spammers choose to send the emails as Twitter phishing? I think that the explanation is simple – they did it because nobody did it before.

As usual, users of the Avira Premium Security Suite and the users of our gateway products have no reasons to fear: the emails are detected as phishing and all target URLs are blocked.


Three weeks ago, our spam traps received massive amounts of spam mails which looked much more like Twitter phishing. This Twitter scheme obviously doesn’t work anymore, as we now are seeing plenty of mails which look like Facebook phishing.

The mails seem to stem from “Facebook” and use unique sender addresses that look like “notification+@facebookmail.com”.
Some observations about the current spam mails:

* Almost all the spams we’ve seen come from Russia (the “received” headers show that the sender sits in russian networks)
* There is always a fake Message-ID similar to the one from Facebook :
* The header “X-Mailer: ZuckMail [version 1.00]” is always the same
* There is an additional X-header called Errors-To with another email address at Facebook “notification+@facebookmail.com”

Amazon: Bestsellers Electronics and Photo

We asked ourselves why the cyber criminals do so much hassle with creating a phishing email in order to get redirected to an online pharmacy website. There are PROs and CONs if someone sends phishing emails using sites like Twitter and Facebook:

PRO: Using these sites which each having at least 100 million users worldwide, the spammers have the possibility to reach a huge audience. If even a 0.01% of the people buy something from those websites, then the operation was a success.

CON: Sending such a primitive phishing is a very bad idea because it is very simple to detect it. Practically, there is clear indication of phishing even for basic detection algorithms like those in Thunderbird.


Bottom line, the spammers are just trying everything to get some attention and therewith purchasers.

Short link: http://wp.me/p1Ipp-7s
Amazon: Bestsellers Electronics and Photo

© Copyright Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .

2 Comments on "Facebook and Twitter Phishing (on first sight)"

  1. I’m a consultant working with Palo Alto Networks; they have an excellent whitepaper on the subject of blocking social networking apps that you may have to worry about, “To Block or Not. Is that the question?” here: http://bit.ly/d2NZRp. It has lots of insightful and useful information about identifying and controlling Enterprise 2.0 apps (Facebook, Twitter, Skype, etc.) Let me know what you think.
    There is a very cutting edge webinar coming up that you can register for now. It delves into social media and the role it will play in the future of the business world http://bit.ly/cR80Al

  2. Well Kelly,

    I agree that these technologies are very important, but what do you think after one of them introduces some malware in the company ?
    What do you think, will the company revise their policy about the Web 2.0 ?


Comments are closed.

%d bloggers like this: