Can you tell a real Facebook e-mail from a phishing attempt?
Summary: Notification e-mails from social networking sites like Facebook can be dangerous; if you're fooled by a phisher, you can click your way into big trouble. Here are four Facebook notifications that arrived in my e-mail inbox recently. Can you tell which are real and which are fake?
E-mail notifications are an important part of social networking services like Facebook. If you have to continually visit the site to see what's new, you lose much of the excitement that comes with comments on your photos or other shared items. If you forget to check for a day or two, you might miss an invitation to an event or an opportunity to connect with a long-lost friend who's in town for a day or two.
But e-mail notifications are also a security risk. If an attacker can create a realistic-looking imitation of a Facebook notification, you might find yourself clicking on a link that can lead to malware or attempt to steal your login credentials.
Unfortunately, phishers are getting better at what they do, and spotting a fake isn't as easy as you might think. I've assembled four Facebook notifications that arrived in my e-mail inbox recently. Can you tell which are real and which are fake? (Click any image to see it at full size, or visit the accompanying gallery to flip through all four screens at full size.)
Here's one that arrived last week. As with all the images, I've blurred personal information but otherwise these messages are shown in full, as they appear in Microsoft Outlook's preview pane.
If you guessed that one was a fake, congratulations. It led to a website that was flagged as dangerous by Microsoft's SmartScreen Filter, by Google's Safe Browsing feature, and by Safari. If you were using an outdated browser such as Internet Explorer 6 or 7, you would have seen an attempt to install a fake Flash update that was actually a password-stealing Trojan.
OK, let's try another. Real or fake?
Do you think that odd e-mail address indicates a fake? Confusingly, Facebook notifications come from the facebookmail.com domain and include a suspicious-looking sender's name. The long, complicated URL might also look suspicious, but this notification is a legit one from Facebook.
OK, here's a third test. Real or fake?
Hmmm. The previous, real notification included a long complicated URL. This one has a pair of buttons that you're supposed to click to see the comments a friend supposedly added to your shared link. That's a favorite trick that phishers and spammers use to disguise misleading links. Surprisingly, this one is legit.
OK, last one. Real or fake?
This is a particularly convincing fake. The graphics, fonts, button design, and links are all indistinguishable from a real Facebook notification. This particular phishing attempt led to a fake online pharmacy, but it could just as easily have led to a malware installer.
One of these fakes was good enough to slip past my spam filters. In that case, the only way to determine that it wasn't legit was to allow the mouse pointer to hover over a link or button to see what its true destination was. Here's what it looked like:
That's certainly not a legitimate link. Here, by contrast, is what a link from a real Facebook notification looks like:
It's a challenge to get nontechnical users in the habit of checking links before they click, but the results are well worth it.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
RE: Can you tell a real Facebook e-mail from a phishing attempt?
RE: Can you tell a real Facebook e-mail from a phishing attempt?
RE: Can you tell a real Facebook e-mail from a phishing attempt?
+1
RE: Can you tell a real Facebook e-mail from a phishing attempt?
RE: Can you tell a real Facebook e-mail from a phishing attempt?
Exactly... but even if they manage to send it to the correct email address, it's not going to show up because only the correct fb address will get through. All others are discarded.
It's not going to happen unless email encryption is mandated
The fact is, by and large every email gets sent as 'clear text' across all MTA intermediaries.
Putting it another way:
Would you put a paper letter in the mail without first placing it in a privacy envelope?
The answer is no you wouldn't unless you were sending a postcard.
If 'envelopes' are a mailing convention for privacy, why not make GnuPG or PGP the 'envelope' for all email correspondence?
Mandated use would solve many problems:
o ISPs could test the header of emails for signed certificates and if not present simply shunt the email offline
o Spam would be largely eliminated
o Users of the Internet would gain the privacy right they deserve
What say you Ed?
Message has been deleted.
Clearly, you demonstrate ignorance.
Digitally signing messages with GnuPG has nothing to do with domains.
Read:
h-t-t-p://en.wikipedia.org/wiki/GNU_Privacy_Guard
RE: Can you tell a real Facebook e-mail from a phishing attempt?
Encryption doesn't have anything to do with verifying the identity of another individual. It prevents a third party from viewing the email sent between two parties. If a spammer is sending me an email, I don't care if anyone else can intercept that email or not. It does nothing to resolve the issue of spam or phishing. GT2L's point about falsifying the identity portion of GPG is also valid. You set up your identity and GPG hashes a digital signature based on the information you gave it. Nothing more. There's a reason PGP is an abbreviation for Pretty Good Privacy, not Perfectly Great Privacy.
You are incorrect.
The case for email encryption:
h-t-t-p://luxsci.com/blog/the-case-for-email-security.html
<br><br>Reading is fundamental.
RE: Can you tell a real Facebook e-mail from a phishing attempt?
<i>If a user is not in your 'web of trust', then you can safely assume the email was totally unsolicited.</i>
True, but an unauthorized user can get into your "web of trust". That's the problem. The GPG uses information that the user gives it to create a digital signature. I could create a digital signature today identifying myself as Dietrich T. Schmitz * Your Linux Advocate. That doesn't make me you...thankfully.
<i>Reading is fundamental</i>
So is understanding concepts you pretend to know about.
Straw Man
h-t-t-p://hygelac.cas.mcmaster.ca/courses/SE-4C03-07/wiki/zagorajm/#HowWOT
RE: Can you tell a real Facebook e-mail from a phishing attempt?
OMG, you're all nuts.
Let's get a few things straight:
- The flagging system of ZDNet is for spam and abuse, not for disagreement.
- Encryption prevents people from reading your email without the right key.
- Digital signatures are for confirming identity.
- Encryption technologies are used for digital signing - they're the same technology used in different ways.
"Afterall, I can register a fake domain, and a certificate for my domain that claims to be Facebook or anyone else."
Sure, you can claim to be facebook, but your domain name will never be facebook.com, and your digital signature will never work with facebook.com. If you try to send email from facebook.com using your digital signature, it will fail because the digital signature does not match the domain name.
ONLY the digital signature given to the domain name facebook.com will EVER match the digital signature of facebook.com. This makes it a lot harder to pretend to be somebody else.
RE: Can you tell a real Facebook e-mail from a phishing attempt?
RE: Can you tell a real Facebook e-mail from a phishing attempt?
http://howto.cnet.com/8301-11310_39-10434684-285/want-really-secure-gmail-try-gpg-encryption/
"The bigger problem with encrypted mail is convincing others to install the software and use it. Until then, you'll be like the proverbial owner of the world's single fax machine: nice technology, but there's nothing you can do with it until someone else gets one.
Also, if someone within a web of trust can be socially-engineered, a miscreant can forge a fake web of trust. In this case, would most individuals perform the due diligence required to identify the fake web of trust? More here (see 'signatures and webs of trust do not guarantee trustable keys'):
http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html
And, finally, someone within a web of trust could have their PC or user account pwned. Thus, providing a miscreant with access to their private key. Would most users create a revocation certificate and choose to store it in a safe place? Would they know how to create a revocation certificate? And how to apply it?
RE: Can you tell a real Facebook e-mail from a phishing attempt?
I would submit, dual-authentication combined with email would tighten up email security--I already use it with my gmail accounts.
BTW, I didn't say using GnuPG would be easy--but if such a mandate were to come into play, Federal monies offsetting development of software that would ease usage should be offered well in advance of any compliance date.
Ubuntu comes with SeaHorse, but it's not currently easy.
But the encryption technology is and has been there for quite some time.
PGP Corp. has a good implementation.
RE: Can you tell a real Facebook e-mail from a phishing attempt?
http://www.openspf.org/FAQ/What_is_SPF
Doesn't solve the current gaping issue
I understand SPF, but it doesn't address the underlying specification which didn't go far enough or see the potential for abuse of forging the sender's id.
Encryption is the only long-term solution, but the software to make it easy is behind. Agreed?
RE: Can you tell a real Facebook e-mail from a phishing attempt?
Would you have a phone conversation without encryption? The entire planet has been doing it for decades with no real issues.
You don't even understand your own example. Would you open an envelope that comes from a person you know? Can you verify the contents are not junk (spam) or dangerous (trojans) before opening?
And 'clear text' is not at all the issue here. Nobody's email is being intercepted and modified, so encryption is irrelevant. Funny how you always jump into a conversation and change the subject.
RE: Can you tell a real Facebook e-mail from a phishing attempt?
You know, I'm not your 'biggest' fan in many respects, but that doesn't mean I can't respect your intellect. Well said.