Well guess what popped up in my email inbox this evening??
Another Facebook Service email with another attachment
Now normally I would just delete the email…
But I figured with all the new changes that Facebook did to their website someone just might open and run the attachment. So I figured this would be another learning opportunity for my non-geek friends
So here’s the email:
Now the first thing wrong here is that you would NEVER receive an email from Facebook stating that they reset your password.
Next thing wrong is that there is a zip file attachment, where in the message it states a document,
Another thing to note…
Passwords would NEVER be emailed to you. They might have a link to their website where you would change the password there… But that itself could be very risky.
To make my point. you might get an email that has a link in the message
Something similar to the link below:
(Don’t worry if you click on it)
So the display can be one thing, while the actual link goes to someplace totally different.
And here’s how did it:
Here’s a tip how to spot a fake URL or link
Hover your cursor over the link and look at the bottom status bar of Internet Explorer
It will typically display the actual link address
So always be suspicious in reviewing your emails
Anyway, back to the story
So like the geek I am, I check out the email header:
Received: from MFGWNSPH (192.168.1.1) by <blocked out my DNS Name> (192.168.1.254)
with Microsoft SMTP Server id 8.1.393.1; Mon, 8 Feb 2010 17:50:18 -0600
Received: from 220.127.116.11 by dev.null; Tue, 9 Feb 2010 08:50:03 +0900
From: Facebook Service <email@example.com>
Subject: Facebook Password Reset Confirmation! Important Message
Date: Tue, 9 Feb 2010 08:50:03 +0900
X-Priority: 3 (Normal)
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1437
So from the header we see that IP address 18.104.22.168 is the one that sent the email.
Always remember that it is very easy to spoof the email address to whatever you want, in this case firstname.lastname@example.org.
The other thing to note in the header is that widowhoodn7@MyOwnPerson.com is the Return-Path which also might be spoofed or a legitimate email by a zombie computer.
- Return-path identifies the email address of the message’s sender.
- Zombie computer or Zombie is a computer connected to the Internet that has been compromised by a hacker, a computer virus, or a trojan horse.
- Trojan Horse – see http://en.wikipedia.org/wiki/Trojan_horse_(computing)
Anyway like a good little geek I check the header using an Email Lookup
I like using http://www.ipaddresslocation.org/email-tracking/email-header.php
Here’s what it found:
I’m pretty sure that an email from email@example.com shouldn’t originate from South Korea.
Now I’m intrigued what the attachment is.
So let’s have a look:
Whenever you see an EXE file in a zip file, that spells T-R-O-U-B-L-E
Please do not attempt this at home or at work unless you are a trained security professional.
If you do, then you’re a bonehead and get what you deserve
So I then decide to extract the file to C:\Temp for further investigation.
and low and behold, there it is: A TROJAN HORSE
So I click on the link to view more information….
Here’s the link:
Not really a lot of detail, so I checked Threat Expert and found a lot more detail for my geek friends:
The morale(s) of the story
- Social Network sites like Facebook don’t email passwords
- Zip files with filenames ending in .exe are never a good thing
- Be careful clicking on links
- Don’t open and run attachments without having up-to-date malware protection software