Is This a Real Phish or Not?
Join me on my journey of self-discovery…well, phishing self-discovery.
I received the following email in my personal email inbox, purporting to be from Facebook asking me to update my trusted contacts.
Trusted Contacts
I had to rack my brain a few seconds to remember what Facebook Trusted Contracts were. Then I remembered. Years ago, Facebook prompted me to set up some Trusted Contracts. These are friends, family members or co-workers (with active Facebook accounts themselves), which you can entrust to help you regain control of your Facebook account in case you ever get locked out for any reason. Users often lose their access because hackers phished the legitimate users out of their Facebook login credentials, then logged in as them, changed the legitimate user’s password and took control of the victim’s Facebook account. It happens hundreds of thousands to millions of times a day. It is a large “at-scale” problem. And Trusted Contracts, if set up beforehand, are people who can send you a recovery code with a custom URL link you can use to get back into your account. I have never had to use it and Facebook has never asked me about it before since the day I set it up long ago.
Signs of a Phishing Message
I have a basic rule of thumb for determining if an email, or any message, no matter how it arrives (e.g., email, website, SMS, social media, voice call, etc.), is possibly a phish. If any message contains three or more of the following five attributes, I rank it high on my list as a possible phish:
Not every malicious message contains all of these attributes, but most do. This particular email contained four of the five, only not containing an immediate stressor claim. Although alluding to me possibly being locked out in the future because my trusted contacts are not updated might be construed as a stressor event.
I was not sure if this was a phish or not. I had never heard of facebookmail.com. That is strange, but maybe it is legit and I just never heard of it or forgot about it. My initial gut feeling is that this was a phish. But the URL link on the button they wanted me to click on pointed to the legitimate Facebook.com when I hovered over it (as you should with all URLs before you click).
That is usually safe to click on, but these days, it could also be a trick involving OAuth, of which Facebook is a participant and provider. To find out if this link would log me in with my regular FB user account credentials or my OAuth credentials, I would have to click the link, and I was not ready to do that yet.
For more information on OAuth scams, see: https://blog.knowbe4.com/watch-out-for-oauth-phishing-attacks-and-how-you-can-stay-safe.
When I clicked on the “help” URL link in the email, even it warned me not to trust emails claiming to be from companies I trust.
The suspected email did not ask me directly for my password, but clicking on the link would take me to a site that would.
I searched on the mailing address shown in the email. It said 1 Facebook Way, Menlo Park, CA 90425.
When I searched on the address, the results revealed that Facebook’s (currently published) mailing address was 1 Hacker Way (see image below).
Now, that is a little confusing. So, 1 Hacker Way is the real street address? Wow! If that address had been in the email, I would have deleted it as phishing for sure. Strange mailing address. But, hey, what is wrong with a little edginess? I am even glad they promote hackers and hacking as a good thing.
What was even more confusing, though, was that the Internet is full of scam warnings showing verified real phishes using 1 Facebook Way as the address the phishers used, and all the warnings pointed out that Facebook’s real address is 1 Hacker Way. Here is an example Facebook scam warning that mentions the 1 Facebook Way as a scam address: https://www.thederbeian.com/post/facebook-scam-alert
Confusing the matter, I did see some seemingly legit mentions of 1 Facebook Way as a legitimate address, including this one:
But when I clicked on even that link, it then brought up the 1 Hacker Way address. Very confusing. Maybe they changed street names somewhere along the way.
So, I did what I always tell people to do if they have a suspected phish. When in doubt, ignore the message and go to the claimed origination source and see if the source still asks you to do the same thing. I went to facebook.com to see if it prompted me to update my Trusted Contacts. It did not. I went to my Trusted Contacts settings (Settings, Security & Login, Setting Up Extra Security) to see if it mentioned anything about updating my Trusted Contacts. Nope.?
So, I had clues going both ways, for both this is possibly a phish and it is not a phish.
I asked friends and co-workers what they thought. I had people come down on both sides of the issue, pretty evenly split. So, basically it was still up to me. I could do more research or just delete and ignore it. I decided to open up the email’s headers to see if it had passed the SPF, DKIM and DMARC checks (see below):
It did pass all three checks (SPF, DKIM and DMARC).
Note: I teach a one-hour course on SPF, DKIM and DMARC if you are interested: https://info.knowbe4.com/implementing-dmarc?hsCtaTracking=RG
Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) are three global phishing protection standards that prevent domain spoofing in emails. In a nutshell, if you receive an email claiming to be from a particular domain, if it passes all three checks, the email really did come from the domain it is claiming.
So, this email really did come from email server/service(s) authorized to send email on behalf of facebookmail.com. The next step was to go and see who owned facebookmail.com. Was it Facebook or someone else (the latter being more suspicious)? I went to MXToolbox, one of my favorite sites for looking up DNS, WHOIS, and blacklisting checks. The result is below:
It revealed that the real Facebook company owned the domain. So, unless Facebook’s own domain was compromised and sending phishing emails, this was a legit email from Facebook. Facebook does get compromised from time to time, and companies with bad intentions often abuse their services, but this was very strong evidence that the suspected “phish” was a legit email.
Just to be extra safe, I opened up the link on a virtual machine. It asked for my real Facebook credentials on the facebook.com website, and then took me to the same Trusted Credentials I had seen before. Case closed.
I decided to share this journey to legitimacy because about half of my knowledgeable friends thought, like me initially, that it looked phishy. A few were certain it was a phish. And a few of my most knowledgeable friends who said it was legit still thought it had weird, phish-like characteristics. In the end, DMARC came to the rescue with the final clue that I needed to push me over the wall to decide it was likely legitimate.
Self Employed at Strung-Out-And-Stoned Gems
9 个月I got this today - I just blocked it...
Fine art handweaver, colorist, and textile designer
1 年thank you for help with a very confusing kind of message.
Doing what I can to improve your day. CreateTime4You Home Services supports with gardening and painting. Being a SuperPatch associate allows me to help others with drug free alternatives for health, wellness and sports
1 年I received a message on messenger with similar information and will not click on the link as I have a gut feeling it isn't legit. You just never know. I hovered over the link and it gave me only a date, nothing else. So still unsure if it is legit Facebook or not.
Director of Marketing, Promotions & Special Events
1 年Tina Deimling is a fake. I've received SEVERAL emails, private DN's to release my password and cc to my business account. It looks real, but any credible business WILL NOT ask for those details via messenger. Be diligent people. The scammers are out there.
--
1 年I just received a made a few days ago which was sent to my messenger for my business account from a sender account by the name of Matter under ?investigation( of course it was typed exactly like this without using capital letters for the “U” in under nor for “I” in investigation, with its Facebook email being matter.under.investigation.2023 ?Anybody know if this could be in-fact phishing or not? Thanks in advance. Message that was sent: Important Notification:Your Facebook page is scheduled for permanent deletion due to a post that has infringed upon our trademark rights. We have reached this decision after a thorough review and in accordance with our intellectual property protection policies.If you believe this to be a misunderstanding, we kindly request you to file a complaint seeking the reinstatement of your page prior to its removal from Facebook.Request for Review: ?https://meta-enterprise-support-id102.web.appWe understand that this situation may impact your ongoing business operations. However, please be informed that if we do not receive a complaint from you, our decision will be final.Your cooperation and understanding are greatly appreciated. Should you have any inquiries or apprehensions, please feel free to reach out to us.Sincerely,Facebook Support Team? Noreply Facebook. Meta Platforms, Inc., Attention: Community Support, 1 Facebook Way, Menlo Park, CA 94025