Last week I was checking through my spam email folder, I do this every now and then just in case I miss an important email and because I get sent so many emails that my spam folder gets pretty full. I noticed a Facebook notification saying that Ana Scott had tagged me in some photos. Luckily our spam filter had picked it up.
As you can see it looks like a legitimate Facebook email, however some quick analysis of the email shows just how wrong first impressions can be. You can also follow these steps to make sure your emails are legitimate.
Step 1: Check the email address of the sender
– In this case it looks strange, however it is from @facebookmail.com so perhaps it could be legitimate, after all I am not an expert in Facebook email domains.
Step 2: Check the links but don’t click on them
– Placing my cursor over the link clearly shows that the link is not to Facebook but to a website based in Germany.
What struck me most about the email was that it uses a social engineering technique that would intrigue most people, ie someone has tagged me in photos and I want to see them. It doesn’t matter that I don’t have a friend called Ana Scott, she tagged me and so I am curious. Now… whether it was intentional or not, the spammer used a name that sounded familiar to me, but thanks to my wife’s love of the film Notting Hill I know that Anna Scott is the lead character and not a “Friend” of mine (but it is a name that many people may have heard and therefore be more likely to build intrigue and probability of a response).
After consulting one of our leading threat experts Jon Oliver it became apparent that this email was actually part of a Blackhole Exploit Kit (BHEK) spam run, the links in the email redirect the user and eventually download malware to their system. While I’m not sure what the end result would have been for me if I did get infected, evidence of past BHEK runs show they generally use financial institutions, ecommerce and global events as lures that get users to click on links and secretly install malware that steals banking credentials and personal information etc.
Jon also advised me that the profile Photo was lifted from some Russian social networking sites….
Luckily for me our spam filter caught the email and even if I clicked the link our web security would have blocked it. For others who are not so up to date with security risks and maybe don’t have the latest security protecting them, they would have fallen for what is a fairly well-crafted phishing attack.
I hope this plays as a warning to email users out there that they always need to be careful…and a little suspicious, of emails received that they weren’t expecting. I hope it provides some simple steps that they can take to double check an email before clicking a link.