This will probably bring internet flotsam to my site, but I thought you expert geeks out there might want to see the long headers (and raw source, just for fun) of the Facebook phishing email I just found in my Inbox. I received three different phishing attempts, but I just chose this one at random. I’m sure they were all similar. Click to see all the lovely, spammy code.
(If you aren’t a geek but you are a Facebook user, you can check out the email to see an example of yet another phishing scam. Remember: Facebook won’t ever reset your password without you initiating the reset first.)
- Great for small businesses: map your contacts!
- Add satends & family directly from your address book
- Look at History from Above: Pyramids, the Great Wall of China, & more
- Free videos help you discover Google Earth’s secrets
- Plan your trips: get accurate ETAs & travel routes
-Satellite imagery from NASA, Microsoft & others
-Take to the sky with our powerful flight simulator
-3D videos of places like Disneyworld, Area 51 & Budapest
-eBook that explains how to maximize Google Earth
New visualization capabilities will thrill and intrigue you. With the newest version of Earth, you’ll discover things about the world you never knew before.
Media Internet Consultants, Edif. Neptuno, Planta Baja, Ave. Ricardo J. Alfaro, Tumba Muerto, n/a, Panama
_________
I clicked through, not especially paying attention to the warning signs (not from google.com or anything resembling Google, hard sell, generic services, etc.). I clicked through until I got to the page that asked for money. That’s when I woke up. I tried to close the page and lo and behold, the 30% off offer of $58.97 for a 3 year subscription suddenly has a pop-down window that changes the offer to 50% off! Spam, spam, spam. And they almost got my money. I was thinking, well, that’s super cheap, only 7 bucks (US) a year for google earth?
Seriously, don’t check email when you’re tired.
While there is a pro version of Google Earth (for industry people, not you or me), this scam tries to imply that the entire product is PAY, which is not, the most common Google Earth is free. Don’t pay for services unless you really know what you and your company are doing.
Phishing is the practice of trying to trick people into revealing their passwords. Email is the usual medium. The emails are designed by experts and are made to look like they are being sent from a valid service or application.
At first glance, it’s hard to tell what’s real and what isn’t. In reality, it’s easy to discern real emails from phishing spam. A little education about how systems administration works and about how we fall into the trap of misguided beliefs on privacy and ownership is all you need to avoid phishing scams. You’ll never be fooled by these “Please reset your password” emails again.
HOW ACCOUNTS WORK: FACEBOOK DINNER PARTY
Facebook owns this candlestick
Here’s a little story that sort of explains computing and user accounts work.
Let’s say that the powerful and organized Facebook Family owns a house in your neighborhood. They have lots and lots of well-planned dinner parties. You don’t know them very well, but you are going to one of their parties.
The night has come, and it’s time to go to the party. You walk up to the door and knock, and the Facebook Family lets you into the house. You sit down to a nice dinner; the silverware and place settings are beautiful and the food is scrumptious. The conversation flows. Everyone has a great time. Then the night is over, and your hosts walk you to the door, then they close the door and lock it as you leave.
Now, let me ask you a few questions:
At the beginning of the night, would you have to bring keys to the Facebook house in order to get into the party? No, that would be silly. Facebook House is owned by Facebook, naturally.
When it is time to enter the Facebook House, do you have to open the door yourself? No, you’d knock on the door. Facebook owns the house and the door, so they will open the door from the inside of the house.
When dinner is over, do you take the silverware or the plates? No. You wouldn’t even be able to if you tried.
When you leave, do you tell the Facebook Family to leave, too? No. It’s their house. They stay, you go.
We all know how this basic social situation works. It isn’t too different with online services.
If a service like Facebook, MySpace, American Express, etc. runs into some sort of technical problem, they will never ask you to reset your passwords. For Facebook to ask you to reset your password is like the Facebook Family asking you for keys to the Facebook House. They’d never need to ask because they OWN THE SERVICE; they have the “keys to the kingdom.” They will reset your password from the inside if you knock on the door and ask them to. But only if you knock and ask nicely. If you have forgotten your password, then YOU can click a button and they will send your authorized email account a reset link (remember which email account you use for each service). This is how it is supposed to work. It’s like you knocking on Facebook’s door and Facebook inviting you in to the their house. That is not Facebook wandering the streets looking for you, a stranger to them, hoping you have keys to their house. It just wouldn’t happen. Facebook never gets locked out of their own house. Ever.
The service owner (which, sadly, isn’t you) can reset any password they like. In fact, they can do WHATever they want WHENever they want. It’s their house; They can serve you whatever dinner they choose. They can read your emails, they can post using your ID, they can change any information on your account that they want. Do they fool around with user accounts? No (who has the time?!). But they’ll NEVER need your help with account administration. Ever.
So, knowing that all services have access to all aspects of their service, ask yourself why they would need you to reset your password. They wouldn’t. Phishing emails prey on the innocent who don’t know better.
HOW OWNERSHIP WORKS: THEY GOT IT, YOU DON’T
You don't own these! (photo by Peter Rice)
Western culture’s views on privacy and ownership help phishing scams work. We all think that we own our accounts. We don’t. Let me repeat: We do not own our accounts.
Don’t believe that your account is your own. It isn’t. It’s Facebook’s. You don’t own the dining room chair that you sit in at the Facebook House dinner party. You don’t own the food they serve you, or the forks or knives or napkins. You have no claim to anything within the Facebook House. You can come to dinner, enjoy yourself, and go home, but you can’t take your plate home with you, because it isn’t yours.
This was the hardest thing to drill into people’s heads when I was an systems admin for a Fortune 500: The company can control, look at, search, read, take over, claim and otherwise wreak whatever havoc they desire on your email account. The company owns it; you do not. Our inherent ideas of privacy and ownership run deep, and the fact that you don’t own your email, Facebook, or any other online account is hard to swallow for most people. But it’s the truth. No legislation is ever going to change this fact. Accept it now. I’ll give you a moment for this to sink in.
…
OK. Ready? Now that you’ve accepted the hard truth, you’ll be safer in the long run. Why? Because you will recognize phishing attempts for what they are: well-designed tricks meant to prey on your deep-set cultural notions of privacy and ownership. If you realize that services don’t need your help in administering accounts because you, in fact, don’t own the account (the service does), you will be less likely to fall for the onslaught of phishing emails coming down the pike. You’ll realize that the email must be a fake attempt by scammers who aren’t the owner of the service (because if they WERE the owner, they’d wait for you to knock on the door before they opened it).
——-
Below is the example of phishing I received today. I knew it was fake because:
1. Facebook doesn’t need my help in changing my password.
2. I didn’t ask Facebook to change my password.
3. The email was sent to the wrong email address. I use a different one for Facebook.
4. It has a zip file attachment. No way should any password reset emails (even the ones I initiate by asking the service to reset my password) should have an attachment. Only a link.
5. It’s super generic. It doesn’t address me by name, not first and last, not any. Just “Dear Facebook user.”
6. If a service contains it’s own messaging system, the service will use that messaging system first. (i.e., Facebook would just send an in-Facebook email for any announcements, etc.).
Here’s the email:
From: password@facebook.com (Facebook Security)
Subject: Facebook Password Reset Confirmation! Customer Message.
Date: February 8, 2010 10:05:38 AM EST
To: christine@purplecar.net
Dear user of facebook,
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
Thanks,
Your Facebook.
(attached file: Facebook_password_37413.zip ZIP archive 36.7 KB)
——
WHAT TO DO IF YOU’VE FALLEN FOR A PHISHING EMAIL:
1. Try to reset those passwords that you gave up immediately. Go to the service (e.g. Facebook) right away and click on the password reset button.
2. Change the password on your email.
3. Change the password on your financial accounts, if it was the same password (hopefully NOT!)
4. Consider requesting a credit report if your passwords to your accounts were the same, or if you suspect that the scammers have gotten a hold of your financial or other important private information.
5. Contact the customer service departments of all of the accounts that have the same password that you gave up to the phishing attempt.
6. Stay alert and wait to see if anything odd happens in your account over the next several weeks.
Just received the email below at my Yahoo account today. If you get it, don’t reply to it. It’s fake. It isn’t from Yahoo. Yahoo already HAS your username and password, they don’t need you to verify it. They also know your IP address, which will tell them from which country you are. And I don’t think it matters much how old you are — they will have you click a Terms of Service agreement that says you are over 13 or whatever if they want. They also don’t need any help from users to make “more space” for new ones. They just buy more servers.
Some poor sucker is going to respond to this and then the spammers will have all sorts of new ways to send out porn, fake viagra offers, you-name-it. If you are that poor sucker, don’t worry. Just go and change your password NOW.
“VERIFY YOUR YAHOO EMAIL ACCOUNT NOW
Dear Yahoo Email Account Owner,
This message is from uniminuto.yahoo messaging center to all yahoo email account
owners. We are currently upgrading our data base and e-mail account center. We are
deleting all unused yahoo email account to create more space for new accounts.
To prevent your account from closing you will have to update it below so that we will
know that it’s a present used account.
CONFIRM YOUR EMAIL IDENTITY BELOW
Email Username : ………. …..
Email Password : …………….
Date of Birth : ……………..
Country or Territory : ……….
Warning!!!
Account owner that refuses to update his or her account within Seven days of receiving
this warning will lose his or her account permanently.Thank you for using yahoo !
Warning Code:VX2G99AAJ
You know the email. It goes along the lines of the urban legends we told each other as teens. Masked man in the back of the car (because naturally, you wouldn’t notice a MAN in the back seat of a Corolla). Delivery van full of poison, don’t open your packages. Whatever the flavor of the week was, you heard it. Now, instead of around a fire on a camping trip, these tales are delivered right to your inbox. Lovely.
The internet spreads so much fear. Even once my neighborhood knew the following report was false, they conceded that perhaps it is best for us to be wary of the real dangers the false story presented. Basically, they were warning each other to be aware of something that isn’t there, just to “be safe.” Well, that safety comes with a cost.
See, that’s the rub. This type of fear isn’t free. By vowing to “stay alert” at the level of an MI-6 assassin, you overlook the real petty crime that may hurt you, you give away your sense of safety and community, and you stress yourself and others out to the point that they doubt their very useful gut instincts. (These are the very gut instincts, by the way, that you need to keep you safe when something truly dangerous is going down. We don’t want to learn to ignore them.)
Yes, violent crime happens. Protect yourself. Learn when and what type of crime happens in your neighborhood and the places you frequent. Take a self-defense class. Sending around sensationalistic urban rumors won’t do crap in protecting you from what crime you more likely will face. Depending on where you live, you should probably concentrate on how not to get your purse snatched or your vehicle broken into instead of giving yourself hyper-xenophobia and a false sense of bravado because you “know” what can happen in a Target parking lot.
Why am I bringing this to your attention now? Today this email was sent to a Yahoo group I belong to. It has over 100 members of my neighborhood in it. I wanted to share this exchange with you to remind you that this type of fear isn’t free. Think twice before you mindlessly forward it on and pat yourself on the back for keeping people “safe.” It degrades community and actually supports an environment where even more violent crime will flourish. We only have each other; distancing ourselves from our neighbors isn’t the answer.
Here’s the whole exchange. Please share this widely. Let’s breed community, not crime.
My Mom sent this to me — it’s a legit story from Illinois (verified on Snopes) but who knows if it could happen here… be careful!
A new way to abduct a female . This is very scary!
Please pass on to all your girlfriends, wives, etc.
Just to be on the safe side. Please be aware and pass it on to anyone you think this will help.
Sunday afternoon around 5 PM I headed into the Target in Wheaton, IL
where crime is VERY RARE and mostly it is with bikes being stolen!!
It was still light outside and I parked fairly close to the entrance.
As I got out of my car and began walking towards Target, an older lady shouted to me
from the passenger seat of a car about 30 feet away from me.
“Ma’am you must help me, help me please, help me Ma’am!”
I looked at her in the eyes and started to walk towards her when all of a sudden
I remembered an email my Mom had sent me a week or two ago about rapists and abductions
using elderly people to lure women in.
I paused, memorized the license plate and immediately headed into Target to get a manager
to come help this lady, just in case something was up.
While the woman manager headed out there, I kept a close watch just because I was curious
what was wrong with the lady an wanted to be sure nothing happened.
As the Target lady walked up towards the car and got very close to the old woman in order to help her,
the back door of the car flies open and a large man with a stocking cap on, jumps out and sticks a gun to the lady’s stomach as he shoves her into the back of the car.
I yelled out “call 911″ several times and just as I was saying that, a policeman who happened to be on the other side of the parking lot! And who, luckily had seen the entire thing happen, raced over to the car.
He was able to stop the car and arrest the male as well as the old lady, who was involved in the scheme.
By God’s grace everyone was all right, including my self, although I think we were both shaken up.
Like many of you, I would not in a million years have left an elderly person who was yelling for help if it weren’t for the e-mail I had read last week. So, I wanted to pass this along so you all can be aware and remember that you really can’t trust anyone these days.
You just never know when something like this could happen. I would have never dreamed it to happen to m e especially on a Sunday afternoon at a Target in a safe area!
It definitely was not a coincidence that my Mom sent that email just a few days before this all happened. Please, be careful and always be aware of your surroundings.
Just because you individually don’t go over to help someone doesn’t mean you have to leave them in trouble, but don’t go ALONE, you really don’t know what might be going on.
This was checked with Snopes.com http://snopes.com/ – this is true – and they also use children to lure the victim !!
Thankfully a second member posted a reply to this message, quickly stating that it was a false rumor that was, in fact, chronicled on Snopes.com:
actually, i just checked snopes http://www.snopes.com/crime/warnings/wheaton.asp
and it said this was false!
it always pays to check yourself – but it maybe also pay to follow the advice of this email anyway.
This is great, of course. But I had to take issue with the last statement that perhaps the false advice to good to follow anyway. That kind of thinking comes a price. A price too costly to pay.
Here’s my reply:
There are a few take away lessons from this for all of us:
1. Always check Snopes.com, even if it says “verified on Snopes.”
2. Always do a general internet search on keywords if you can’t find it on
Snopes.
3. Make a decision about what fear is worth spreading. It doesn’t come without
cost.
Do we really want to live our lives as if ridiculous, senseless violence is around every corner? If you want to truly be fearful, inform yourself about real crime statistics. Our neighborhood is relatively safe. Sure, a certain amount of “street smart” caution is needed at all times anywhere, but there’s no reason to doubt your regular instincts. Emails like this seem helpful, but they just work to spread baseless fear and degrade feelings of community.
Do we really want to live in a world where we don’t help our elderly? Granted, if said elderly is in an effed up van and your common sense is sending off crazy alarms, by all means call 911. But let’s not build this idea that we are to be on alert for violent crime around every corner. It’s just not real. What we would pay in stress and loss of community isn’t worth it.
Actual odd crimes like this get plastered all over the world news. You will not find out about them via email, trust me.
Ok, that’s the end of my rant.
Your loving pro-community internet queen,
(PurpleCar)
SUMMARY: Adam Slaney warning (or the latest one about “Richard Peel” or “ASHLEY MARC JAMES” or “”CHRISTOPHER BUTTERFIELD” or “Simon Ashton” on FaceBook) is fake.
Social media has great potential, both good and bad. It can find you help in a hurry or cause you tons of frustration. Today I had to do some investigation to determine if Facebook was the unsuspecting abettor in a “denial of service” (DoS) social network attack.
We geeks recognize a DoS attack when hackers send so many requests to a page (or so many emails, etc.), that it crashes the server, putting your website out of commission until your security team can combat the offending spam. Another DoS attack, often categorized under ‘cyberbullying’ (or, what I like to call Social Network Abuse), can be waged by one user with a way to reach many on-line contacts.
Tags: does facebook reset passwords?, email, facebook, is this email fake?, long headers, phishing 
Entries (RSS)