Facebook Email Scam – Alma Commented On Your Photo

Mon, Dec 27, 2010 by

I received an email message from “Facebook” with the subject line “Alma commented on your photo”. I was so excited, until I realized I wasn’t friends with anyone named Alma…then I was sad :-( (Clue #1)

Okay, the truth is I knew it was spam just from reading the subject line; my Facebook settings are not setup to email me every time someone comments on my photos, so this email couldn’t have really been from Facebook. (Clue #2)

I don’t normally open up emails that I know are spam, but now that I blog about this topic, every now and then I’ll open one up to alert you all. Since I knew this was a scam, I opened up the email using our security product, Light Point Web, to avoid infecting my computer with malware. And this is what I found…

About The Facebook Email Scam

Facebook Email Scam - Alma commented on your photo

The email said it was from Facebook, but the email address associated with the account is noreply@netlogmail.com, which is not a Facebook domain. (Clue #3)

If this email had really been from Facebook, I would have expected either my name or email address to be in the To field. However, there was nothing there. This means that my email address was placed in the Bcc line, instead of the To line. This leads me to believe that this email was sent to more than one person, and that the sender did not want the receivers to see all the other email addresses. This is consistent with spammer behavior – they craft one generic email message, and send it to lots of people. (Clue #4)

My email provider had already marked the message as spam – it was sitting in my junk folder when I found it. (Clue #5)

The body of the message said:

Alma commented on your photo.

Alma wrote:
“very nice photo i like thiss “

Reply to this email to comment on this photo.

To see the comment thread, follow the link below:

http://www.facebook.com/n/?photo.php….

Thanks,
The Facebook Team

—–
Find people from your Windows Live Hotmail address book on Facebook! Go to: http://www.facebook.com/find-friends/?ref=email

This message was intended for. If you do not wish to receive this type of email from Facebook in the future, please follow the link http://www.facebook.com/o.php?…
Facebook, Inc. P.O. Box 10005, Palo Alto, CA 94303

The email asks you to reply to the email in order to comment on that photo. However, Facebook does not support this functionality. (Clue #6)

Notice that the links in the message supposedly have the URL spelled out, and all the links seem to point to the facebook.com domain. But, by hovering your mouse over the link, you can get the real URL the link points to. In this case, all the links in the message point to the website likemp3.net. This is obviously not Facebook (see below for a report of this website). (Clue #7)

Lastly, take a look at the footer of the email. It says, “This message was intended for.”. There should be an email address after the word for in that sentence, otherwise it doesn’t make sense. Since this exact email was sent to various email addresses, the spammers removed that portion from the footer. (Clue #8)

Below is the footer from a legitimate email from Facebook. Compare it to the footer shown in the scam email above.

Facebook Unsubscribe Footer

likemp3.net is a Malicious Website

Norton Safe Web identified likemp3.net to be a malicious website, and found 1 computer threat on the site. A computer threat is an item, such as viruses and worms, that loads directly on your computer, with the potential to do harm to your computer. Please do not go to that site.

Norton Safe Web reports likemp3.net as maliciousHow to Protect Yourself From Email Scams

Here are a few things you can do to prevent your computer from being infected with malware:

  • If you receive an email like this one, do not open it, and delete it right away.
  • Never click on links in an email message. Instead type the URL of the website directly in the address bar, and log into your account that way.
  • If you must click on a link in an email, for example it’s not a check your account status type of email, hover over the link and look at what the status bar tells you. If the URL shown in the status bar isn’t for the website you’re expecting to go to, don’t click on the link. In the case of this Facebook email scam, the URL in the status bar doesn’t link to facebook.com. Instead it links to likemp3.net.
  • Note that the only domain name used by Facebook is facebook.com. Any URL that doesn’t start with http://www.facebook.com/ is not an official Facebook page. That’s not to say it’s a malicious site, it’s just not an official Facebook page, so use caution when going to these sites.

Have you received any Facebook email scams? Tell us about it in the comments section.