The Facebook Email Scam: Have You Been Hit?

For the last two weeks, a phishing and malware scam propagated virally through Facebook, taking control of member accounts and blasting their friends with bogus messages. Today, a new wave of attacks hit, getting broader traction than ever, despite Facebook's best efforts to combat the scheme.

When I first wrote about the scam a week ago, Facebook said it was taking the necessary actions to rehabilitate zombie accounts and stop any messages containing links to phishing sites or malware downloads. Since then, another rash of attacks occurred in the form of spam email that appears to be sent from Facebook.

Facebook Email Scam

Good enough to fool Gmail's spam filter, these bogus emails (one example seen above) are the hackers' entry point into the Facebook network. The messages ask users to click a link inside the message and login to Facebook. Users are then taken to a bogus Facebook page, where entering their credentials surrenders them automatically to hackers. Once the hackers take hold of an account, they turn them into springboards for message blasts to a selection of that user's Facebook friends. The messages contain links to malware download sites and other phishing sites that ask users for personal and financial information.

Facebook combats the proliferation of these zombie accounts in two ways: first, they identify the accounts that are sending the bogus links out, and second, they remove any message from their server that contains one of those links. Those actions are automated; Facebook can search its servers for known phishing or malware links, and respond automatically. In theory, this should stop the scam in its tracks. So why hasn't it? (Below, a bogus Facebook message.)

Picture 1

One answer, simply, is that Facebook users are being easily fooled. Facebook has reminded users to only enter their credentials into a site that originates from facebook.com, not another "one-off" URL. A common origin of some of the spam emails floating around is facebookmail.com, which is a one-off address not affiliated with Facebook.

But the spam emails that are hitting users aren't very well composed; they pose as message alerts from friends you don't have, or ask you to recommend new friends to users you don't know. Once a zombie account begins its malicious work, those messages aren't very good, either. Sure, they come from people you know—but the message itself is often written in garbled English, or contains a generic exclamation that, well, just doesn't sound like anyone you know. It's hard to fathom that users are being duped at a rate sufficient to keep this thing alive, considering how aggressively Facebook said it's attacking the problem.

It's also known that the hackers aren't getting the best mileage out of each zombie account they pwn. Whatever script they wrote to automate message-sending within Facebook only sends messages to 15 or 20 friends at a time, out of hundreds or thousands. Presumably they've done this to assure that Facebook can't identify a pwned account simply by its message volume, but they've also hampered the efficiency of the spread. In short, this scam is equipped like the common cold, but it's spreading like Ebola.

The only answer to its remarkable propagation: the scammers are coming up with hundreds or thousands of bogus links—perhaps automating the link-generation—so that each time Facebook eradicates a known bogus link from its servers, a new one is right behind it. But it's hard to fathom that anyone who'd run a scheme this amateurish—pro hackers would have crafted a worm that dug directly into Facebook's network—would be able to keep ahead of Facebook's security team.

Have you been hit by phishing or malware links, either in a Facebook message or an email? More than one? When did you get it?

Related: 10 Questions About the Facebook Hack Attacks
Related: Update: The Facebook Phishing Scam Continues

Add New Comment

3 Comments

  • David Simpson

    This is interesting, I changed my mobile number on Facebook and within minutes I received a confirmation email from facebookmail.com

    But over the last few days I've received a lot of notification emails from the same address to let me know that this person and that person have accepted my friend request when i haven't actually sent any friend requests or gained any new friends.

    All a bit strange.

  • Phil Cooper

    Actually, facebookmail.com is a legitimate domain owned by Facebook. However, people may be getting bogus messages that appear to come from facebookmail.com, but actually come from another domain. To make sure, one must examine the email header carefully. If you're still unsure, don't click any links or images in the message; type "facebook.com" directly into your browser's location box and go to the real Facebook directly before attempting to sign in.

  • Lorie

    I just received an e-mail in my Yahoo account.  I didn't click on anything.  I put it up on my wall @ FB.  I tried to put it out on the feed, but it disappeared and went directly to my wall.  How, where, can I send this e-mail to get it stopped?  Just spamming it doesn't seem like enough, and phishing it .... is that the way to go?  I would love to hear from someone ASAP, I do not want that e-mail even in my box!!