Friends

Wednesday, October 27, 2010

Be careful of fake Facebook Deactivation Notification

Sorry, this time I write this post using English language, because I think this is important, so people should know this. If I write in English, there will be more people able to read this.
Today,  I’m very shocked to find a facebook deactivation notification. As long as I remember, I never deactivate my facebook account. The notification looks like this
facebook face notification
It’s looks like from official facebook mail, because it’s from facebookmail.com. I’m panicked a little while. But when I try to click the link  to reactivate, nothing happen. Maybe this is due to my security setting.
I suspect that this is fake. So I click Show Original, to see the original  message, and compare it with official facebook notification.
Delivered-To: *********@gmail.com
Received: by 10.229.232.4 with SMTP id js4cs57088qcb;
        Mon, 7 Jun 2010 22:27:03 -0700 (PDT)
Received: by 10.114.19.24 with SMTP id 24mr12516397was.190.1275974822617;
        Mon, 07 Jun 2010 22:27:02 -0700 (PDT)
Return-Path: <notification+pdvik71_@facebookmail.com>
Received: from mx-out.facebook.com (outmail004.snc1.tfbnw.net [69.63.178.163])
        by mx.google.com with ESMTP id r12si12649759waj.130.2010.06.07.22.27.01;
        Mon, 07 Jun 2010 22:27:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of notification+pdvik71_@facebookmail.com
designates 69.63.178.163 as permitted sender) client-ip=69.63.178.163;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
notification+pdvik71_@facebookmail.com designates 69.63.178.163 as permitted sender)
smtp.mail=notification+pdvik71_@facebookmail.com; dkim=pass header.i=@facebookmail.com
Return-Path: <notification+pdvik71_@facebookmail.com>
DKIM-Signature: v=1; a=rsa-sha1; d=facebookmail.com; s=q1-2009b; c=relaxed/relaxed;
 q=dns/txt; i=@facebookmail.com; t=1275974820;
 h=From:Subject:Date:To:MIME-Version:Content-Type;
 bh=Otsmfv8NGlIhh03V86ht/n9A6Ks=;
 b=iNJxzgLn0iJ7dOvKltc2W0K+iZdp9Gpk6CDVJjqEuia/QBf22IoK4z3+ARTtvgG1
 ZmGlXBqt8UqNb0bCuTx5sg==;
Received: from [10.18.255.137] ([10.18.255.137:39524])
 by mta004.snc1.facebook.com (envelope-from
<notification+pdvik71_@facebookmail.com>)
 (ecelerity 2.2.2.45 r(34067)) with ECSTREAM
 id 09/DA-09602-4A4DD0C4; Mon, 07 Jun 2010 22:27:00 -0700
X-Facebook: from zuckmail ([MTI3LjAuMC4x])
 by www.facebook.com with HTTP (ZuckMail);
Date: Mon, 7 Jun 2010 22:27:00 -0700
To: ******** <**********@gmail.com>
From: Facebook <notification+pdvik71_@facebookmail.com>
Reply-to: Reply to Comment <c+24cdhk3000000niebn7050000gip2118f000000niebn
7001819gv62jz1ip1i@reply.facebook.com>
Subject: ***********************
Message-ID: <04fb44ba1ede9805583cc851babcaebc@www.facebook.com>
X-Priority: 3
X-Mailer: ZuckMail [version 1.00]
X-Facebook-Notify: feed_comment; from=1429844717; uid=1421623411;
owner=1421623411; oid=1294523769471; mailid=277d1d2G54bc4073G1099b2cG36
Errors-To: notification+pdvik71_@facebookmail.com
X-FACEBOOK-PRIORITY: 0
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
That’s officially from facebook
and this is from fake facebook
Delivered-To: ***************@gmail.com
Received: by 10.229.232.4 with SMTP id js4cs48522qcb;
        Mon, 7 Jun 2010 17:50:01 -0700 (PDT)
Received: by 10.101.178.25 with SMTP id f25mr15731950anp.198.1275958200454;
        Mon, 07 Jun 2010 17:50:00 -0700 (PDT)
Return-Path: <billsm105@pageaerospace.com>
Received: from gw.shared-server.net (gw.shared-server.net [211.13.204.1])
        by mx.google.com with SMTP id k15si10050165anb.34.2010.06.07.17.49.58;
        Mon, 07 Jun 2010 17:49:59 -0700 (PDT)
Received-SPF: neutral (google.com: 211.13.204.1 is neither permitted nor denied
by best guess record for domain of billsm105@pageaerospace.com) client-ip=211.13.204.1;
Authentication-Results: mx.google.com; spf=neutral (google.com: 211.13.204.1 is
neither permitted nor denied by best guess record for domain of
billsm105@pageaerospace.com) smtp.mail=billsm105@pageaerospace.com
X-Facebook: from zuckmail ([7F9o5iFBKJ5o]) by www.facebook.com with HTTP (ZuckMail);
Date: Tue, 8 Jun 2010 09:47:55 +0500
To: <*************@gmail.com>
From: Facebook <noreply@facebookmail.com>
Subject: You have deactivated your Facebook account
Message-ID: <8d2b638908154bb0d38703091dba55be@www.facebook.com>
X-Priority: 3
X-Mailer: ZuckMail [version 1.00]
X-Facebook-Notify: deactivation_email; mailid=
X-FACEBOOK-PRIORITY: 0
MIME-Version: 1.0
Content-Type: text/html; charset = "UTF-8"
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional //EN">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Facebook</title></head><body style="margin: 0; padding: 0;" dir="ltr">
<table width="98%" border="0" cellspacing="0" cellpadding="40"><tr>
<td bgcolor="#f7f7f7" width="100%" style="font-family: lucida grande, tahoma,
verdana, arial, sans-serif;">
<table cellpadding="0" cellspacing="0"
border="0" width="620"><tr><td style="background: #3b5998;
color: #fff; font-weight: bold; font-family: lucida grande, tahoma, verdana, arial,
sans-serif; padding: 4px 8px; vertical-align: middle; font-size: 16px; letter-spacing:
-0.03em;
text-align: left;">facebook</td></tr>
<tr><td style="background-color: #fff; border-bottom: 1px solid #3b5998; border-left:
1px solid
#ccc; border-right: 1px solid #ccc;font-family: lucida grande, tahoma, verdana, arial,
sans-serif; padding: 15px;" valign="top">
<table width="100%"><tr><td width="470px" style="font-size: 12px;" valign="top"
align="left"><div style="margin-bottom: 15px;
font-size: 13px;">Hi,</div><div style="margin-bottom: 15px;">You have deactivated your
Facebook account. You can reactivate your
account at any time by logging into Facebook using your old login email and password.
You will be able to use the site like you used
to.</div><div style="margin-bottom: 15px; margin: 0;">Thanks,<br />
The Facebook Team</div></td><td valign="top" width="150" style="padding-left: 15px;"
align="left"><table width="100%" cellspacing="0" cellpadding="0"><tr><td
style="background-color: #FFF8CC; border: 1px solid
#FFE222; color: #333; padding: 10px; font-size: 12px;"><div style="margin-bottom:
15px;">Sign in to Facebook and start connecting</div>
<table cellspacing="0" cellpadding="0"><tr><td style="border: 1px solid #3b6e22;">
<table cellspacing="0" cellpadding="0"><tr>
<td style="padding: 5px 15px;background-color: #67a54b;border-top: 1px solid #95bf82;">
<a href="http://berthlwyd.net/jonquil.html" style="color: #fff;font-size:
13px;font-weight: bold;text-decoration: none;">Sign In</a></td></tr></table></td></tr>
</table>
</td></tr></table></td></tr></table><div style="padding-top: 15px;">
<table width="100%" cellspacing="0" cellpadding="0"><tr>
<td style="background-color: #FFF8CC; border: 1px solid #FFE222; color: #333;
padding: 10px; font-size: 11px;"><div style="font-weight: bold; margin-bottom: 2px;">
To reactivate, follow the link below:</div><a href="http://barcoh.com/blaming.html"
style="color: #3b5998; text-decoration: none;">http://www.facebook.com/home.php</a>
</td></tr></table></div></td></tr><tr><td style="color: #999; padding: 10px;
font-size: 11px; font-family: lucida grande, tahoma, verdana, arial, sans-serif;">
This message was intended for Facebook user. If you do not wish to receive this
type of email from Facebook in the future, please click
<a href="http://fwsinc.com/renew.html" style="color: #3b5998">here</a> to unsubscribe.
<br/>Facebook`s offices are located at 1601 S. California Ave., Palo Alto, CA 94304.
</td></tr></table></td></tr></table></body></html>
Check out what I’ve set in bold. In first glance, it looks like from official facebook account, except their return path to billsm105@pageaerospace.com. I check www.pageaerospace.com and found that this is a legal site. What’s interesting is some fake address which they write just like directed to your facebook account, it is:
http://berthlwyd.net/jonquil.html
http://fwsinc.com/renew.html
http://barcoh.com/blaming.html
I try to click barcoh.com and in return, a red message from Chrome ( I use Google Chrome)
barcoh.com warning
And same warning message to fwsinc.com, but found nothing on berthlwyd.net (maybe this is only a machine to put jonquil.html only)
I’m not processing the step further, so I don’t know what’s this site affect you. This is because I don’t prepare to use virtual machine. But I think, the exploration is fair enough to  take a conclusion:
  1. Always check original message when you suspect a message  shouldn’t be right
  2. Be careful if you got  message from  billsm105@pageaerospace.com or any message from pageaerospace.com. Maybe this machine is infected.
  3. Always browse with safety. In Chrome, you can set in option/Under the Hood/ and tick Enable phising and malware protection.
  4. Put Virus Guard always on, and complete with Malwarebyte ( I use MBAM and Avira free edition, that always updated. This is more than enough)

0 comments:

Post a Comment

#
### ###