Fake Facebook “Facebook Password Reset Confirmation” Phishing Messages on the Rise, Bearing Viruses

The Internet Patrol - Patrolling the Internet for You
Follow Anne
Rate this post!
 

If you get an email supposedly from Facebook (top addresses have been change@facebook.com and support@facebook.com) , asking for a “Facebook Password Reset Confirmation”, don’t panic thinking that someone has reset your Facebook password (that’s exactly what the bad guys want you to do), and whatever you do don’t download or open the attachment that is in the email! The attachment, named either facebook_password_139.zip or facebook_password_239.zip, is actually a Windows malware file, facebook_password_139.exe or facebook_password_239.exe.

Here’s how the email looks in the typical email program:


From: “Facebook Security” (change@facebook .com)
To: (test@example .com)
Subject: Facebook Password Reset Confirmation! Important Message
Attachments: Facebook_password_139.zip

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:

 

Thanks,
Your Facebook.

But check out what the headers of this email reveal:

Date: Tue, 23 Mar 2010 08:13:04 -0600
From: “Facebook Security”
MIME-Version: 1.0
Message-ID: <000d01caca8a$923f4cc0$6400a8c0@myopicsv>
Received: from 173.213.163.99; Tue, 23 Mar 2010 08:13:04 -0600
To:
X-Mailer: Microsoft Outlook Express 5.50.4927.1200
X-Mimeole: Produced By Microsoft MimeOLE V5.50.4927.1200
X-Msmail-Priority: Normal
Date: Tue, 23 Mar 2010 08:13:04 -0600
From: “Facebook Security” (change@facebook .com)
To: test@example .com
Subject: Facebook Password Reset Confirmation! Important Message
Attachments: Facebook_password_139.zip

 

Do you see that “Received: from 173.213.163.99”? That’s actually a DSL line with iowatelecom.net (the complete address associated with this IP address is “mnpl-01-0867.dsl.iowatelecom.net”). Obviously Facebook isn’t sending email from a regional ISP in Iowa. And do you see that “X-Mailer: Microsoft Outlook Express 5.50.4927.1200”? Facebook doesn’t use Outlook Express to send email to their subscribers, either. (In fact, Facebook sends out their email from a cluster of IP addresses serviced by their own in-house domain, tfbnw.net, and they use the Ecelerity mailing software.)

So, almost certainly, one of two things is going on here. Either there is an evil malware spammer sitting somewhere in Iowa Telecom’s service area, sending out malware using Outlook Express; or some poor schmuck’s PC has been co-opted as part of a botnet, which is now spewing malware while being controlled by some botnet herder overseas. It’s most likely the latter, but what’s important for you is to know how to recognize this email for what it is, and to not open it.

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:

People also searched for fake facebook password reset email messages
Rate this post!
 

3 thoughts on “Fake Facebook “Facebook Password Reset Confirmation” Phishing Messages on the Rise, Bearing Viruses

  1. my code is still not been accepted which is apain as i am unable to access facebook and i need to get look in my spam folder

  2. That’s interesting, given the fact that when my wife went to go on FaceBook this morning, she was stopped and asked for her password, which the “website” would not accept.
    This was not an email, but one of her multi-tabs which open when she activates FireFox. She called me over and I attempted to watch, then insert her password, but “OK” would not do anything until it went “dormant”.
    She finally shut down FF and re-started it, … FaceBook came up regularly.
    Wonder what that was. I’m running IOBit on it to see if it’s OK by their standards.
    Thanks!
    Ted

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.