Facebook Password Reset Confirmation

This weeks most popular virus campaign appears to be the Facebook Password Reset Confirmation emails.

These emails claim to come from a wide variety of Facebook email addresses, such as:

  • “Contact Facebook” <security@facebook.com>
  • “Facebook Manager” <profile@facebook.com>
  • “Facebook Networks” <customer.service@facebook.com>
  • “Facebook Support” <change@facebook.com>
  • “Facebook Support” <customer.support@facebook.com>
  • “Facebook Support” <password@facebook.com>
  • “Facebook Support” <service@facebook.com>
  • “The Facebook Team” <confirmation@facebook.com>
  • “The Facebook Team” <login@facebook.com>
  • “Your Facebook” <profile@facebook.com>

But these are examples of sender address spoofing as they are actually sent from already infected personal computers throughout the world. Additionally, they appear to change the address every day or two in order to try and reduce their susceptibility to spam filtering systems.

The Subject of the emails is similar to those actually sent by Facebook:

  • Facebook Password Reset Confirmation! Important Message
  • Facebook Password Reset Confirmation NR.32917

In the case, of the “NR.32917″ example, the number is randomized to try and avoid spam filtering systems.

The message itself is not particularly convincing, but no doubt still effective enough for the spammer’s purposes. While their are slight variations, the emails basically says:

Hey johnmaxwell,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team.

The dual email file attachments (very common to virus campaigns nowadays) included are:

Facebook_password_Nr4457.exe
Facebook_password_Nr4457.zip

Launching either of these files will execute the virus code, resulting in the infected computer itself sending spam emails to continue the mass infection while also compromising usernames and passwords entered into the PC while the machine remains infected, which is perhaps indefinitely.

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.

Tags: ,

4 Responses to “Facebook Password Reset Confirmation”

  1. christie Fox says:

    then what exactly is the email address to use to reach Facebook support? My Facebook is messing up and for the life of me I am unable to find their support to get the darned thing fixed. Seems Facebook doesn’t have the heart to provide us with a good email address directly to their techs to get something fixed….boo for Facebook.

  2. If you manage to find a real Facebook support address please post it here. We’d love to know what it is. The best we’ve been able to find is the Facebook Help Center:

    http://www.facebook.com/help/?ref=pf

    This can also be reached by scrolling to the very bottom of any FB page and click the Help Center link in the lower right corner.

  3. l says:

    I have the same issue. Cannot find a way to contact “facebook” to report fraudulant email.
    this should tell you something about how devious facebook is.

  4. Chaston says:

    My email quarantine program at work just notified me of a quarantined message from “networks@facebook.com” that had a subject line of “Facebook Password Reset Confirmation! Support Message.” It was received on 4/26/2010 at 4:54 pm MST.

    I have no Facebook Account/Page at this time nor have I ever in the past. This is obviously fraudulent. I though you all should know and please, pass the word on.