Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Facebook password requested email - Scam? Phishing?


  • Please log in to reply
8 replies to this topic

#1 JimmyRiddle

JimmyRiddle

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:10:21 PM

Posted 03 September 2017 - 06:42 PM

Received one of these out the blue for an account i've long since deactivated.

 

Perhaps stupidly, clicked the 'didn't request this change. let us know option', and was take to what appears facebook. All seems legit HTPS facebook. I entered no details further at this point, and was not requested to. It appeared exactly like Facebook and had this message

 

Thanks for letting us know
We've recorded that you didn't ask to reset your password. You can log in to your account with your current password, and you don't need to do anything else.

 

 

 

To double check i requested the same thing on a separate acct (so entirely legit) and received an identical response. Having clicked both it appears again to be identical to the first, and looks legit, however, i can see that the url isnt exactly the same. 

 

Number one (that i requested to check) - https://www.facebook.com/login/recover/disavow_reset_email.php? [Rest of URL Redacted]

 

Number Two - that came out the blue

https://www.facebook.com/login/recover/disavow_reset_email.php? [Rest of URL Redacted]

 

 

I have put ****** in instead of the request codes in case it's sensitive. 

 

Any thoughts? Does this look dodgy? 


Edited by britechguy, 07 September 2017 - 04:21 PM.
Redacted full Facebook URLs which link directly to user account


BC AdBot (Login to Remove)

 


#2 jburd1800

jburd1800

  • Members
  • 565 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 03 September 2017 - 07:03 PM

Looks like a scam to me, and FB uses https...

“May the sun bring you new energy by day, may the moon softly restore you by night, may the rain wash away your worries, may the breeze blow new strength into your being, may you walk gently thorugh the world and know it's beauty all the days of your life.”


#3 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:10:21 PM

Posted 04 September 2017 - 03:16 AM

Sorry i dont follow you 

 

Both links go to a genuine facebook page. and are both HTTPS. I have not been asked to input any information, and both instructions were identical. The only difference i can see is the initial one (number 2) has the owrd android in the URL.

 

Any opinions on this?



#4 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:10:21 PM

Posted 04 September 2017 - 03:29 AM

this was the sender in the unsolicited one. Exactly the same as the legit one. Unless i'm being a dunce, this seems legit to me. 

 
from: Facebook <security@facebookmail.com> reply-to: noreply <noreply@facebookmail.com> to: my email- gmail.com> date: 31 August 2017 at 11:37 subject: 612**5 is your Facebook account recovery code mailed-by: facebookmail.com Signed by: facebookmail.com security: cleardot.gif Standard encryption (TLS) Learn more
 

 

 

Exact same as the one i requested:

 

 

from: Facebook <security@facebookmail.com> reply-to: noreply <noreply@facebookmail.com> to: my email address date: 31 August 2017 at 13:10 subject: 912**7 is your Facebook account recovery code mailed-by: facebookmail.com Signed by: facebookmail.com security: cleardot.gif Standard encryption (TLS) Learn more

Edited by JimmyRiddle, 04 September 2017 - 03:41 AM.


#5 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:10:21 PM

Posted 04 September 2017 - 03:46 AM

From an article on the subject:

 

 

 

Malicious coders of the world try to gather Facebook usernames and passwords through many different means, including sending out scam emails that claim a password reset has taken place and offering to provide the new password. If you've received a password-reset email allegedly from Facebook, it's a good idea to be very wary of following the instructions in it.

Legitimate Activity
If you forget your Facebook username or password, you can use online tools to request a password reset. Facebook will send an email to the address you have on file and allow you to click a link that will reset your password and let you log in again. If someone else enters your email address, thinking it's his own, then you would still get the reset email from Facebook. If that happens and you didn't initiate the password reset request, simply ignore the email and don't click on the link.
Phishing

If you get an email asking for your Facebook password it is a scam. Facebook won't ask for your password via email. Whoever sent you the email is posing as Facebook support to try to gather your personal information and log in to your Facebook account. Even if the email appears to be from Facebook you can know that it's not if it asks you to provide any personal information via email.

 
Malware

Another way that Facebook password scams attempt to gather your information is through malware -- malicious software -- that they try to get you to run on your computer. In one scam, the malware is a file attached to an email; the message claims that your Facebook account password has been changed for security measures and the new password can be found in the attached document. Just like with phishing attacks, Facebook won't send your password via email and they won't assign you a password without asking you first.

 

Security

If you do receive an email that appears to be from Facebook you can always check to see if it actually came from the company itself by looking at the email address. The part of the email address that's most important is the domain name -- the part that follows the @ sign. If it shows "facebook.com" at the very end of the email address then the email has come from Facebook, but if anything else comes after that, then the email is suspect. For example the email might come from an address of useraccounts@facebook.com.helpfiles.ru. In that case the website "helpfiles.ru" has added "facebook.com" as a part of the email address, but the true source is "helpfiles.ru." If you have any doubt about the source of the email, don't click on the link; instead, open a new browser window, go directly to Facebook.com and log in that way to get any help with your account.

 

 

 

The Security section seems to indicate that both were legit, and were from FB. 


Edited by JimmyRiddle, 04 September 2017 - 03:46 AM.


#6 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:10:21 PM

Posted 04 September 2017 - 09:16 AM

I just checked the headers and it looks legit -

 

 

1) From the attempt i requested:

 

 

Created on: 31 August 2017 at 13:10 (Delivered after 1 seconds) From: Facebook <security@facebookmail.com>Using ZuckMail [version 1.00] To: me Subject: 912857 is your Facebook account recovery code SPF: PASS with (same IP which i redacted) Learn more DKIM: PASS with domain facebookmail.com Learn more DMARC: PASS Learn more

 

 

2) Unsolicited attempt (not by me at least) from:

 

Message ID <2752cbe21100a29916daac919fe7141f@graph.facebook.com> Created on: 31 August 2017 at 11:37 (Delivered after 1 seconds) From: Facebook <security@facebookmail.com>Using ZuckMail [version 1.00] To: me Subject: 612085 is your Facebook account recovery code SPF: PASS with IP*******Learn more DKIM: PASS with domain facebookmail.com Learn more DMARC: PASS Learn more

 

I removed the SPF IP in case it's sensitive info, but they were identical.

 

So, from my admitably unsophisticated eyes, this appears legit, and likely was someone with a similar user name / email attempting to log in to their account. Would be interested to hear if this appears so to any more experienced tech people. Thanks


Edited by JimmyRiddle, 04 September 2017 - 10:43 AM.


#7 MDD1963

MDD1963

  • Members
  • 699 posts
  • OFFLINE
  •  
  • Local time:06:21 AM

Posted 06 September 2017 - 03:25 AM

You will never get random emails from FB asking you your password...; there may occasionally be emails with 'new device used for account' notices when logging on from different computers and /or routers, but, ignore any email asking you to send your password...

 

If there were truly a password problem, you'd already be locked out.


Asus Z270A Prime/7700K/32 GB DDR4-3200/GTX1060


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:21 PM

Posted 06 September 2017 - 03:03 PM

I think you published your Facebook ID in the links you redacted.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 JimmyRiddle

JimmyRiddle
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia
  • Local time:10:21 PM

Posted 17 September 2017 - 02:12 PM

Thanks, Didier, i dont think they led anywhere but a generic sign in page, but have since been redacted anyway. This case is pretty much resolved, think it was just someone inputting my name in error. 






2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users