A reader got in touch with me regarding a suspicious email they had received claiming to come from Facebook, with the subject line:
“Someone tried to Iog in To Your Account, User lD : <random number>”
What made the reader suspicious? Well, amongst other things, they’re not actually a Facebook user. (Good for them.)
Let’s take a look at the email, which claims to be a warning that someone using an iPhone 11 Pro had tried to log into the account.
A user just logged into your Facebook account from a new device iphone 11 pro. We are sending you this email to verify it’s really you.
The email offers the users two options – “Report the user” or “Yes, me”.
Now, I was fully expecting that if anyone clicked on the “Report the user” or “Yes, me” options that they would be taken to a phishing page posing as Facebook, and designed to steal their login credentials.
To my surprise, however, neither option is actually a traditional web link.
Instead, if you were to click on the links (which use the mailto: URI scheme) your email client opens and you will find that you are sending an email to 39 different email addresses.
Here’s what you might see if you click on the “Report the user” button:
So, what does this mean?
You’re not being taken directly to a phishing page as you probably would have anticipated. Instead, you’re one step away (you still need to press “Send” in your email client) to announcing to 39 complete strangers that you can be lured into responding to suspicious emails.
Of course it’s always possible that one of these email addresses might respond to you, and could potentially ask you to confirm your password or invite you to click on a link.
But it certainly feels that whoever dreamt up this scheme has made a massive boo-boo by configuring their phishy email to forward victims to send a mail to multiple addresses which probably are not under their control, rather than take them to a conventional phishing page.
I almost wonder if whoever spammed out this email was playing with a phishing email construction kit, and somehow misconfigured it to cause such an odd outcome.
And, to be nerdy for a moment, it’s very poor form to send an email to so many recipients when a BCC: would respect their privacy much better!
I’ve redacted most of the email addresses on the list – although there are a couple which smell a bit fishy (I wouldn’t be surprised if firstname.lastname@example.org and email@example.com were up to no good.)
Of course, the very best defence is to know that any emails from Facebook *must* be bogus because you simply don’t have a Facebook account. :)
If you’re thinking of leaving Facebook, why not listen to this “Smashing Security” podcast we recorded:
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.