If you get an email supposedly from Facebook (top addresses have been change@facebook.com and support@facebook.com) , asking for a “Facebook Password Reset Confirmation”, don’t panic thinking that someone has reset your Facebook password (that’s exactly what the bad guys want you to do), and whatever you do don’t download or open the attachment that is in the email! The attachment, named either facebook_password_139.zip or facebook_password_239.zip, is actually a Windows malware file, facebook_password_139.exe or facebook_password_239.exe.
Here’s how the email looks in the typical email program:
From: “Facebook Security” (change@facebook .com)
To: (test@example .com)
Subject: Facebook Password Reset Confirmation! Important Message
Attachments: Facebook_password_139.zipDear user of facebook,
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Thanks,
Your Facebook.
But check out what the headers of this email reveal:
Date: Tue, 23 Mar 2010 08:13:04 -0600
From: “Facebook Security”
MIME-Version: 1.0
Message-ID: <000d01caca8a$923f4cc0$6400a8c0@myopicsv>
Received: from 173.213.163.99; Tue, 23 Mar 2010 08:13:04 -0600
To:
X-Mailer: Microsoft Outlook Express 5.50.4927.1200
X-Mimeole: Produced By Microsoft MimeOLE V5.50.4927.1200
X-Msmail-Priority: Normal
Date: Tue, 23 Mar 2010 08:13:04 -0600
From: “Facebook Security” (change@facebook .com)
To: test@example .com
Subject: Facebook Password Reset Confirmation! Important Message
Attachments: Facebook_password_139.zip
—
Do you see that “Received: from 173.213.163.99”? That’s actually a DSL line with iowatelecom.net (the complete address associated with this IP address is “mnpl-01-0867.dsl.iowatelecom.net”). Obviously Facebook isn’t sending email from a regional ISP in Iowa. And do you see that “X-Mailer: Microsoft Outlook Express 5.50.4927.1200”? Facebook doesn’t use Outlook Express to send email to their subscribers, either. (In fact, Facebook sends out their email from a cluster of IP addresses serviced by their own in-house domain, tfbnw.net, and they use the Ecelerity mailing software.)
So, almost certainly, one of two things is going on here. Either there is an evil malware spammer sitting somewhere in Iowa Telecom’s service area, sending out malware using Outlook Express; or some poor schmuck’s PC has been co-opted as part of a botnet, which is now spewing malware while being controlled by some botnet herder overseas. It’s most likely the latter, but what’s important for you is to know how to recognize this email for what it is, and to not open it.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
my code is still not been accepted which is apain as i am unable to access facebook and i need to get look in my spam folder
how do i get a conformation number I forgot my pass word
That’s interesting, given the fact that when my wife went to go on FaceBook this morning, she was stopped and asked for her password, which the “website” would not accept.
This was not an email, but one of her multi-tabs which open when she activates FireFox. She called me over and I attempted to watch, then insert her password, but “OK” would not do anything until it went “dormant”.
She finally shut down FF and re-started it, … FaceBook came up regularly.
Wonder what that was. I’m running IOBit on it to see if it’s OK by their standards.
Thanks!
Ted