How to spot a fake Facebook password change notification and other malicious email messages

Fake Facebook Password Change Request

We are getting more and more of these and, I suspect, some of our clients are getting the same and thought that it may be handy to point out some easy ways to confirm that this was a fake.  The request looks very legitimate and, rather than just offering the link to change your password (which would be an obvious phishing email), they also give you the option to report this immediately if you didn’t send the request (it can’t be bad if they’re giving you an opportunity to report possible fraud, right)?  So, here are a few quick and easy test to see help determine if this is a legitimate request:
  • This scan notes the email that it’s being sent to in the footer.  In this case, solarwinds@cybertechcafe.net.  We use alias email accounts so that we can tell where an email came from (or who is selling our email addresses to marketing companies).  In this case, the email is going to solarwinds@cybertechcafe.net.  I am confident that I haven’t setup a Facebook account with solarwinds@cybertechcafe.net, so this is obviously bogus.  You may see something like bounce@yourdomain.com, abuse@yourdomain.com, etc.  The important thing to note here is that it’s not an email address that you have with your legitimate Facebook account.
  • If you hover your mouse over the links in the email (don’t click on them), you should be able to see where they are links to.  These links should be to Facebook (or whoever the email is reportedly from).  In this case, the links say that they’re going to Facebook but hovering over them confirms that they’re actually going to http://fuser20488.vs.easily.co.uk/consuelo/index.html (link intentionally broken), which is clearly not a Facebook.com link.  
  • This email doesn’t have any but, if you see obvious misspellings or grammatical errors, that’s another good sign that the email is a fake or a fraud.

As more and more antivirus software, email filters and firewalls are able to strip malicious attachments from email, attackers are having to find new and inventive ways to deliver viruses and other malicious content via email (email is an incredibly easy and efficient way for attackers to reach a huge group of potential victims).  One of these ways is to include links to sites that store the content.  Many times, these links are a) from sites that have been newly compromised and aren’t yet blacklisted and b) to zero day vulnerabilities that software, antivirus and firewall vendors haven’t yet been able to deliver patches for.  Based on that, an educated user is the best and only protection against this type of scam.  If you get an email that’s reportedly from Facebook warning that you requested a password change or from DHL that your package is ready or from ADP that there was a problem with your payroll, before reacting to the email and clicking, take a moment to check it out first.