Evil Facebook Spam
Facebook did not spam me
Facebook is a wonderful tool for letting complete strangers know what you had for dinner last night or showing prospective employers what you do on the weekends. The Facebook empire continues to expand into all parts of the world where free time is in excess.
Do Facebook servers launch spam campaigns? Probably not. Unfortunately, electronic mail can be easily configured to appear to come from any web site. Recently my unfortunate inbox accepted a message that, on the surface, seemed to originate from my friends at Facebook. At first glance the contents seemed legitimate. At second glance subterfuge and deception reared their ugly heads. Don't let this happen to you.
Let's take a closer look. We embark on a journey through Canada, Spain, and a friendly pub in New Jersey. Somehow they are all virtually related.
Don't be fooled
Spammers are evil but mostly not stupid. They spend their waking hours contriving strategies to convince us that all is well. They leverage the good will of legitimate organizations. They hide behind weaknesses in the design of the Internet.
This particular message steals Facebook fonts, colors, and styles. It also attempts to inspire a little fear: "You have 1 lost message on Facebook" might be sufficient to coax many unsuspecting legitimate Facebook users into clicking on the links embedded in the message. No one wants to lose a Facebook message.
The link appears to be legitimate
The link included in the text of the message seems reasonable. Included in the link is a reference to the real Facebook site and also the word 'profile', which all Facebook members recognize. Unfortunately, hovering over the 'link' reveals the true address: it's nothing remotely related to Facebook.
What if you click on it? Don't click on it.
Clicking on the link will open a browser window and attempt to load a web page from a domain called "alenwich.com", which is obviously not Facebook. In the interest of science we opened the link in our browser. Don't try this at home. We are qualified professionals who take extreme precautions.
We opened the link not in Windows, but in Linux, which affords additional protection levels because the spammers probably designed their attack under the assumption that most computer users are running a Windows-based operating system.
We weren't attacked, only redirected. We were victimized by a little Internet sleight of hand.
Some basic redirection
One useful feature built into the language of web pages is the ability to redirect to a completely different page. When we clicked on the link embedded in our spam email, we were redirected to a completely different domain. The original link pointed to "alenwich.com/james.html", which immediately redirects to "pillscioffline.com".
The new destination wanted to sell us some stuff. We were treated to a cornucopia of Canadian Pharmaceuticals. Our computer was not attacked, only insulted.
Why go to all this trouble?
Some folks really want to sell stuff. In this case, the sole purpose of the original Facebook-style spam was to direct traffic to a web site ostensibly offering pharmaceuticals at relatively low prices. Everyone knows that Canada has less expensive products compared to some other parts of the world. We all trust Canada and many of us gladly reveal highly sensitive information to web sites purporting to be "Canadian."
Is Canada in Spain?
The plot gets thicker. Our destination domain, pillscioffline.com, is registered in Spain. It was registered only 2 days before our spam arrived. In other words, the site was 2 days old and the ownership of the domain was assigned to a physical mailing address in Spain. Canada is not near Spain, nor are the two countries spelled sufficiently alike to suggest that typographical errors may be at fault.
Click here to see who owns the domain.
Is there a Canadian Family Pharmacy?
A legitimate business with the endearing name "Canadian Family Pharmacy" may actually exist. It may actually offer legal products at reasonable prices. On the other hand, the web site at pillscioffline.com might contain just enough programming and endearing graphics to collect credit card numbers and social security numbers.
There may be no legitimate pharmacy behind the web site. We can't say for sure. Any competent programmer can cobble up a web site. Be very careful when revealing personal information online.
Should you be feeling a bit peckish after all this cloak-and-dagger nonsense, stop by the Ale 'n 'Wich Pub for a burger. These unsuspecting folks are the rightful owners of the domain called alenwich.com. Yes, that domain does appear in the original spam that started this mess, but rest assured that no one in the restaurant had anything to to with this risky scheme.
Someone hacked them during the lunch rush. Were you to peek into their web server computer, you would see a tiny file called "james.html" that serves to immediately redirect unsuspecting browsers from alenwich.com to pillscioffline.com. That little file may persist for years or may be erased before you read this: it doesn't affect the normal operation of the computer at all.
Don't blame Facebook, don't blame the Ale 'n' Wich Pub, and don't blame Canada. Blame yourself if you fall for this type of contrivance. Resist the urge to reveal personal information just to save a few dollars.