An article by Christopher Boyd a Malware analyst concerning fake emails from Facebook
Facebook phish claims “Someone tried to log into your account”
Posted: March 21, 2022 by [Christopher Boyd]
Watch out for bogus Facebook phishing messages winging their way to your mailbox. The ruse is quite simple: The mail senders are relying on the recipient’s sense of panic to respond without thinking about it.
The mail looks professional enough, and seeks to imitate what would be a fairly typical looking message from Facebook. As for the panic aspect, the phishers have pinned the hopes of this attack onto the old faithful “Someone is trying to login as you, so you’d better do something about it ASAP” routine.
The phish
The mail itself combines a fairly clean design with minimal messaging. There’s a tendency with some phish attempts to overstuff the mail with all manner of nonsense to look more convincing. When that happens, we often see increasing amounts of typos or broken mail design. This one simply gets to the point. It reads as follows:
Someone tried to Iog into Your Account, User lD
A user just logged into your Facebook account from a new device Samsung S21. We are sending you this email to verify it’s really you.
Thanks,
The Facebook Team
So far, so good. However, it goes a bit off the rails with the two clickable buttons presented. The first one says “Report the user” which makes sense. The second one just says “Yes, me” instead of something more plausible such as “Yes, it’s me” or even just “It was me”. This may set some alarm bells ringing.
The functionality
What happens when you click the button(s)? The expected process is to be whisked away to a phishing page and enter your details. Not here. This one follows the same pattern as a mail we covered a little while ago.
You may remember the phish attempt claiming to have detected unusual sign-in activity from Russia. That mail didn’t bother with phishing pages. Instead, it popped open a pre-formatted mail in your client of choice for you to respond to the creators. Anybody replying would likely receive additional requests for login details or much more besides.
This phish follows the same path, opening one of two pre-filled response styles depending on which button you select. “Report the user” is the most interesting one, pre-filling the subject line as “Send statement”.
What is sent back may be a booby-trapped document of some kind, or perhaps phishing done through a form. It’s also possible the dialogue will simply continue via mail. Whatever they’re up to, they should be treated with the cold shoulder they so richly deserve.
Go to the source
Always remember to navigate directly to the sender of supposed security alerts. If it’s genuine, you should be able to address whatever issue you’ve been sent. If there’s no sign of it, consider sending it along to them directly. It may be a scam sample they’ve not seen before, and this can in turn help them to protect a wider userbase. Above all else: don’t panic, because this is how attackers can trick you into doing something you’ll regret.
Report, block, and go about your day.
