This one should immediately throw up some red flags, considering that the scammers can’t even spell “Zuckerberg” correctly. A new phishing scam making its way around Facebook is just a new riff on a classic ruse.

Hoax Slayer is reporting a message hitting some users’ inboxes claims to be from “Mark Zurckerberg” and states that…

Mark Zurckerberg

Dear Facebook user, After reviewing your page activity, it was determined that you were in violation of our Terms of service.Your account might be permanently suspended.

If you think this is a mistake,please verify your account on the link below.This would indicate that your Page does not have a violation on our Terms of Service.

We will immediately review your account activity,and we will notify you again via email.
Verify your account at the link below:

Clicking on the link will direct users to a fake Facebook login page. Although made to look like the real Facebook login page, this malicious site will simply steal your info once you enter it in.

This type account verification scam is old, but persistent. Most claim that the user has violated some Facebook terms and must verify their account in order to keep it from being suspended. In the past couple of months, we’ve seen a couple variations of this scam hit Facebook. One version purported to come from the Facebook Security Team. Another scam message claimed that users had been “annoying or insulting” to other users and that they face account suspension. Both of those scams, like this “Zurckerberg” one, asked for personal info to “verify” the accounts.

Today, Twitter announced that it is using the DMARC technology with its emails, making it less likely that users will see any email pretneding to be from a Twitter.com address.

“We send out lots of emails every day to our users letting them know what’s happening on Twitter. But there’s no shortage of bad actors sending emails that appear to come from a Twitter.com address in order to trick you into giving away key details about your Twitter account, or other personal information, commonly called ‘phishing’,” said Twitter Postmaster Josh Aberant.

“Without getting too technical, DMARC solves a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols,” he said. “It builds on established authentication protocols (DKIM and SPF) to give email providers a way to block email from forged domains popping up in inboxes. And that in turn lessens the risk users face of mistakenly giving away personal information.”

Twitter began using DMARC earlier this month. AOL, Gmail, Hotmail/Outlook and Yahoo Mail all take advantage of the technology.

The latest scam to hit the network comes in the form of messages sent to users’ inboxes. These are not simply spam messages that will get caught up in that “other” inbox that Facebook reserves for non-important communications. These messages may come from compromised accounts, ones that could be given access to your inbox.

If you receive one of these scam messages, it’ll look like this:

WARNING: Your account is reported to have violated the policies that are considered annoying or insulting Facebook users.system will disable your account within 24 hours if you do not do the reconfirmation. Please confirm your Facebook account below:

If the ridiculous assertion that you’ve “annoyed users” doesn’t immediately throw you off, there’s a link.

Upon clicking, a page will prompt users to enter their Facebook account info and password. It then asks you to confirm which webmail service you use to sign-in to Facebook (getting more suspicious). Finally, it drops the big request – your credit card info. At this point, you should definitely realize you’ve been duped and stop entering information.

This scam is similar to another one we reported on earlier this month that also involved private messages from “The Facebook Security Team.” Except we all know that the real Facebook Security team doesn’t send out messages to specific users asking them to verify account details. Both scams warn users that their accounts may be suspended for some sort of unspecified violation of the terms of service.

[GFI via The Next Web]

It’s the latest phishing attack on the network, which sees its fair share of such deceptions. Some users are currently receiving messages from pages called Security Team, which ask users to verify their accounts via outside link or face an account suspension.

Here’s what the scam message looks like, courtesy Facecrooks:

As you can see, the scammers use the same logo that the real Facebook Security page uses, hoping that it will give the message more credibility with users. It’s also grammatically well constructed (for the most part), something we can’t say for most phishing scams that hit Facebook.

But the link that it contains should tip you to its illegitimacy. It uses Facebook’s app’s domain to link users to a page asking for their page name, phone number, and password.

A quick search on Facebook yields dozens of pages for “Security Team,” all using the official Facebook Security logo and all created in the last couple of weeks. These pages, as obvious scam attempts, should be removed fairly soon. But others will always pop up in their place. Always be vigilant.

Today, Facebook has unveiled on new way for users to report phishing attempts across the network.

Now, if you come across any shady attempt to acquire your username, password, or other personal information, Facebook wants you to file a report. You can do this by sending an email to the new address phish@fb.com.

“By providing Facebook with reports, we can investigate and request for browser blacklisting and site takedowns where appropriate. We will then work with our eCrime team to ensure we hold bad actors accountable. Additionally, in some cases, we’ll be able to identify victims, and secure their accounts,” says Facebook.

Facebook reminds users that they should be wary of any email that asks for login or financial info. One thing that users can do to protect themselves while investigating possible scams is to navigate to websites directly, instead of using the provided links within emails, chat messages, or posts.

“This new reporting channel will compliment internal systems we have in place to detect phishing sites attempting to steal Facebook user login information. The internal systems notify our team, so we can gather information on the attack, take the phishing sites offline, and notify users. Affected users will be prompted to change their password and provided education to better protect themselves in the future,” they say.

In April, Facebook launched the Anti-Visus Marketplace which allows users to download trial version of various popular anti-virus software. At the time, they also incorporated those company’s databases into their own URL blacklist. Last month, they unveiled the new Malware Checkpoint, which allows users to be more proactive in their own security.

Another thing that helps is the improved attention to detail from North American web users, which helps explain the rise of phishing attempts in Latin America, the Middle East, and Asia. As for Google’s Safe Browsing effort, this month marks the five-year anniversary of the program, giving Google an opportunity to point out where they’ve been successful:

• We protect 600 million users through built-in protection for Chrome, Firefox, and Safari, where we show several million warnings every day to Internet users. You may have seen our telltale red warnings pop up — when you do, please don’t go to sites we’ve flagged for malware or phishing. Our free and public Safe Browsing APIallows other organizations to keep their users safe by using the data we’ve compiled.
• We find about 9,500 new malicious websites every day. These are either innocent websites that have been compromised by malware authors, or others that are built specifically for malware distribution or phishing. While we flag many sites daily, we strive for high quality and have had only a handful of false positives.
• Approximately 12-14 million Google Search queries per day show our warning to caution users from going to sites that are currently compromised. Once a site has been cleaned up, the warning is lifted.
• We provide malware warnings for about 300 thousand downloads per day through our download protection service for Chrome.
• We send thousands of notifications daily to webmasters. Signing up withWebmaster Tools helps us communicate directly with webmasters when we find something on their site, and our ongoing partnership with StopBadware.org helps webmasters who can’t sign up or need additional help.
• We also send thousands of notifications daily to Internet Service Providers (ISPs) & CERTs to help them keep their networks clean. Network administrators can sign upto receive frequent alerts.

Their report also points out the monthly discoveries of phishing sites and malware-infected sites, all of which are things to avoid. If you haven’t been keeping up with how the war on malicious software and unscrupulous phishing attempts, you would be wise to increase your levels of vigilance:

This new email scam comes packaged in a highly convincing fashion and claims to come directly from Facebook. The subject line will tell you that “you have notifications pending,” and the body will say “Hi, here’s some activity you have missed on Facebook.” The email will also prompt recipients to click buttons to “Go To Facebook” and to “See All Notifications.”

Of course, the only words of advice here are to stay away from those links.

Here’s an actual, non-scammy notification email from Facebook:

And here’s the scam email. You can see how people could be fooled – the scammers have done a remarkable job rendering a similar design to the message.

According to Sophos’ Naked Security blog, the links took them to a Canadian pharmacy site that offered male enhancement drugs like Cialis and Viagra – typical. “Chances are that the spammers are earning affiliate cash by driving traffic to the pharmaceutical website,” they said.

Of course, these types of links could take you on any number of malicious trips – a phishing site, a site containing malware, etc. Just be on your toes, Facebook users.

LinkedIn yesterday responded to the password leak within a few hours, announcing on its blog that affected accounts had been disabled and that members would be receiving instructions on how to reset their password. One point Vicente Silveira, director at LinkedIn, made clear in his blog post announcing the company’s response was that the emails sent out would not contain any links to reset passwords. From the post:

…members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in this email. Once you follow this step and request password assistance, then you will receive an email from LinkedIn with a password reset link.

This mirrors password advice Silveira gave in an earlier blog post yesterday where he stated that users should never change their password by following a link in an email they did not request. As Camp pointed out, these types of email spam are common, and these particular emails might not be related to the recent password leak. Still, users should be careful of these types of spam and other, more malicious phishing attacks which redirect users to websites spoofed to look exactly the same as the login page for a website they use.

(Screenshot courtesy ESET)

The latest case involves a retiree losing roughly $6,600 after giving up his bank information to a fake site that looked identical to the real site of his bank, which ended up illegally transferring the funds to Greece, who incidentally can use all the transfers it can get. Still, Germany’s highest civil court has decided that the retiree was the one who was negligent, as Sparda Bank had offered its clients multiple warnings regarding phishing. And, Germany’s Federal Criminal Police Office (BKA), logged 5,000 reports of phishing in 2010, a big jump from 2009.

Still, the retiree did sit down and take the time to enter 10 TAN codes (transaction numbers) into the fake site. Who does that? The elderly maybe – and it’s clear Germans might, as the TAN codes are commonly used in that country to verify accuracy of online transactions. The codes can then be printed out, texted or looked up on a smartphone. Sparda Bank’s defense also noted that being prompted to enter multiple TAN codes is a classic sign of phishing.

According to the Local, “The plaintiff argued that the bank had a duty to protect its customers from the abuse of these codes – But the federal court upheld previous judgements by the district and state courts, agreeing with the bank’s argument that the customer should bear responsibility for falling for the con.” So, the retiree is out almost 7 grand, and Youtube might also soon be looking at a much more substantial loss.

In related news, it has been reported that the Syrian Electronic Army has been trying to gain access to rebel accounts using phishing tactics, though they likely shouldn’t be too worried, as Anonymous has been monitoring the goings on of that situation.

The phishing email Naked Security is warning of appears as if it were sent from the “Google+ team.” The email supposedly confirms that the user’s recovery email address has been changed, and that if the user has not done this, they should follow a link that has the link-text of http://accounts.google.com and update their account. The last paragraph of the email is in a larger font and reads “However, Failure to do so may result in account suspension permanently.” [sic] That’s an odd statement, since the email also states at one point that if the user has, in fact, changed their recovery email address then they can disregard the email entirely.

It’s logical contradictions such as this, numerous grammar and punctuation errors, and the threat of “account suspension permanently” that gives away a phishing scam. Also, for those who are really paying attention, Google uses https for all of its sites now. Obviously, the link to the Google accounts page actually leads to a phishing site that will steal the user’s Google login credentials. And with Google services so intimately linked, that means the phisher would have access to the user’s Gmail, Google docs, Google+, and YouTube accounts, among others. An Android phone could also be compromised through Google Play.

It can be easy to fall for such a scam if users are in a hurry or aren’t paying attention. And Google isn’t the only company being spoofed, as some Apple customers have found out. Users who simply take some time and enter the URL for the websites they use manually should be safe. Also, Google users can add some extra protection to their accounts by turning on 2-step verification, which requires a code messaged to a user’s phone before logging in on a new computer.