Fake copyright violation notice aimed at stealing Facebook accounts

The latest phishing campaign aimed at stealing Facebook accounts is gathering momentum. Users are receiving mass e-mails threatening bans for copyright violation. The aim is to steal the users’ login credentials. We explain the anatomy of the new scheme and how not to swallow the bait.

Who, me?

The message says something like: “Your Facebook account has been disabled for violating the Facebook Terms. If you believe that this decision is incorrect, you may file an appeal at this link.”

What could the problem be? A video you posted last year of your friends dancing to a hit song? Could that really be it? Well, maybe: The link does lead to a notice about music copyright infringement. The address of the page is facebook.com, and the notification page contains a link to an appeal form. So far, seems plausible.

Afraid of losing your account and without seeing any red flags in the link address, you might even enter your full name and username, as requested. Next, however, is a request no one should mindlessly obey: “For your own security, please enter your password.”

And … scene. Your login and password (i.e., your entire account) now belongs to cybercriminals.

We’ve said it before and we’ll say it again: Don’t follow links in suspicious e-mails. Even the savviest users can get caught off-guard by a well-written, well-designed message that gets through the spam filter, contains what looks like a good link, and generally seems legitimate.

What’s the trick?

On closer inspection, the scam isn’t really that clever. At every stage, there are warning signs. What’s important is to stay calm and alert. Panic can lead even cautious people down dangerous paths.

Let’s start with the e-mail. First, the text itself gives the scammers away. Although it lacks the kind of egregious language errors we often see in spam, anyone familiar with Facebook’s communications will note that the letter doesn’t read quite right. Then, to trick spam filters, attackers introduce small intentional typos into the body of the e-mail. In this case, they used the old upper-case-I-instead-of- lower-case-L trick. If your mail client uses a serif font, the substitution is easy to spot.

Here's how the message looks if the mail client uses a serif font. The substituted letters give the scammers away

Here’s how the message looks if the mail client uses a serif font. The substituted letters give the scammers away

If the font is sans-serif, you may not detect that sort of change. So, let’s move on to the next clue. Pay attention to the sender’s address. The name says Facebook, but the actual address (shown in some clients in a nondescript gray color, unfortunately) has nothing to do with the social network. Official Facebook notifications would never come from an address like this one.

If your mail client uses a sans-serif font, lower-case L and upper-case i look identical, but the sender's address betrays its origin: not Facebook

If your mail client uses a sans-serif font, lower-case L and upper-case i look identical, but the sender’s address betrays its origin: not Facebook

Now, the link in the e-mail does point to Facebook. As we mentioned, that’s another trick designed to fool spam filters — and you. But the page does not contain an official notice; it’s a note. Until last October, any user could create one using Facebook Notes. At the time of this writing, the tool has been disabled, but old notes are still accessible. At the top of the page is the username, which in this case looks plausibly legit: Case #5918694.

The address bar reveals that the text is someone's Facebook note

The address bar reveals that the text is someone’s Facebook note

The link is external but disguised as internal. Hovering over it, we can see that it redirects from Facebook to an outside website that has been shortened using Bitly.

The address of the link is visible in the lower left corner. At first glance, it might seem internal, but it points to an external resource via bit.ly

The address of the link is visible in the lower left corner. At first glance, it might seem internal, but it points to an external resource via bit.ly

The link opens a form that asks for the e-mail address or phone number linked to your Facebook account. The page address looks a bit like Facebook’s, but a closer look reveals that it has nothing to do with the social network.

The address bar shows

The address bar shows “.com” followed by a random set of numbers

Click the Send button and a password entry form pops up. It’s the final play; enter a real password in this field and it’s game, set, and match to the cybercriminals.

Finally, the password entry form

Finally, the password entry form

How to protect your Facebook account from hijacking

You can thwart most phishing campaigns (not just Facebook ones) by following these simple rules.

  • Take your time and do not panic;
  • Check the sender address before clicking on links in e-mails. Facebook is unlikely to send notifications from non-Facebook mail domains, for example;
  • Look for strange lettering, mistakes, and typos in e-mail text, and assume any message containing them is suspicious;
  • Always log in to your account through the app or by entering the URL in your browser’s address bar (by typing it, not by clicking a link), even if you suspect you’ve received an actual notice of terms-of-service violation;
  • Avoid entering your login credentials on third-party or other pages — but if you did that and lost access to your account, contact customer service immediately. Here are some more handy hints for use in the event of a hack.
  • Install a reliable security solution, such as Kaspersky Security Cloud, that will warn you if you try to open a suspicious page and also guard against malware, data collection, webcam surveillance, and other threats.