Tuesday, June 11, 2013

How Hackers steal your usernames/passwords by Phishing attack?

Beware of "facebookmail.com" domain. Its a phishing site.

Be careful with emails that you receive from "FacebookMail.com", these mails probably are Phishing attack and they trying to steal your passwords and credentials. However this domain is belong to FACEBOOK company but people rarely use it for inviting their friends. If you try to invite your friend from this section https://www.facebook.com/invite.php it will send an email to your friend from FacebookMail.com. But the point is this service rarely use by users, However Hackers use this address to send Phishing email to victims.
Phishing is refer to a type of cyber attack which attacker try to steal username,passwords and credit card information by masquerading as a trustworthy entity in  the communication. The most common technique for Phishing is the use of FAKE PAGES. For example the attacker open facebook.com and download the login page and change the path that login form is pointing to, to their own address. Afterward they will upload this fake page on a their own host with a domain name similar to the legitimate site domain. The last step is to convince the victim to come to this fake website and enter his user/pass/cc details and all these information will send to the attacker.
Here are some examples of similar domains (They are not real-Just for Example):
facebook.com (Legit) ->  faceb00k.com (malicious)
twitter.com(Legit) -> tvviter.com(malicious)
&...
Most of the time attacker will use email for inviting the victim to the fake page. For example they send an email to the victim that contains a message from twitter and its saying "Hey you hear about the gossip your mentioned in? it started some serious drama, it fired up a lot of people on here http://bit.ly/.... "  This will raise the curiosity of the victim and make him/her to click on the malicious link, next he/she will see a page look a like twitter login and will not pay enough attention to the address bar. However this is a fake page, and after he/she enter his/her user/pass will redirect to legitimate site (But his/her user/pass will be send to the attacker).

It is few days that I'm receiving a phishing email from "blahblahblah@facebookmail.com". This is a similar domain to facebook.com and attacker by using this domain try to fool the victim that user think this mail is one of sub services of Facebook.com however this email is coming from hacker and her just change the From address to Facebook email address.
Facebook Phishing email request example


The funny fact is that I don't have any Facebook account using this email , And this make me suspicious that this might be a phishing attack. Another important
point about this type of attack is that the button or link might refer to Facebook.com . However the attacker might use java script to show the link in the status bar OR use Facebook app or redirect to redirect the page to his desired destination. Existence of this redirect functionality is very common in social network websites.
Facebook URL that will redirect to phishing address

Sometimes the attacker has to change few things inside the template of the request that he/she can evade the phishing/spam filters. Because filters will look for specific signature of attack. Here in following picture you can see that attacker change the Facebook text to F4c3b00k to make sure this signature is not in filter list!!!
Attacker might change the structure of the mail to evade from spam filters.


But detecting these emails is not hard, you just need to refer to the header of the email. Each email provider has its own way to open the full header. In this example for GMail you have to go to your inbox then next to replay button there is an arrow click on that and choose "Show Original". In this page look for from address. As you can see in following picture the from address is from facebookmail.com domain.
Gmail email header showing the from address.

This attack might be launch in many ways and from any site and their target is to exploit the user by using Social Engineering . For example in following picture you can see another common way of phishing attack that happen at twitter. They use messages such as "hey someone is writing shocking things that are about you" or " I cant believe this but there are some real nasty things being said about you here..." or "Who posted this video of you on FB?" & ... to raise curiosity of the victim and make the victim to click on the link and send the victim to their desired destination that can be a phishing site or a malicious website.


The only solution to detect these attack is to be careful about these request and use an URL safety check app. these apps come in form of browser Add-ons or part of Antivirus program.
BitDefender that is one of the most famous security company has a free extension named "Traffic Light". This tiny tool will install on your browser and check the safety of each link inside the current page and show a circle next to all URLs. (Green=Safe and Red=Malicious). I suggest that everybody use this tool because it can be very useful to mitigate phishing/scam/ malicious/ malware websites attacks.
Bitdefender TrafficLight tool for detecting malicious sites. example

Social Networks Sharing