Recently in Facebook Category

The e-mail boils down to you clicking on a link that's provided within the e-mail which points to:

Now ahlamoontada.com is a domain hosted on the same IP address by the same domain company.  There are two additional IP addresses that's associated with ahlamoontada.com (74.86.145.74 and 74.86.145.73).

Like any phishing emails, the links do not taking you to the actual site (e.g. Facebook) and in this instance, if you click on the button or the links, it will take you to some compromised site(s).  In fact, all the links on the email has been substituted with the alternate site (see below for list of sites).

The email itself originated from a different IP locations:

217.12.70.152 (RU)
95.72.115.111 (RU)

So, the bottom line, the email request looks very authentic if weren't for the following, "Why would Angelina Jolie be asking me to join Facebook"?  Be warned, be cautious and be alert.

Compromised/Free Hosting Sites used by Phishers:

• http://xyddds.110mb.com/index.htm
• http://grapevinephotography.com.au/1.htm

You know, nothing good ever comes out of China, not the dog food, not the toys, not even the e-mail, which was where this e-mail originated from.

I'm sure this e-mail has been around the internet for a while now, an e-mail trying to make itself seem like it originated from Facebook Security.  But why would they send you an attachment and why would they send it with the salutations as generic as "Dear user of Facebook".  As Facebook Security, you would think they have access to your information, at least your name, instead of starting it off as "user of facebook".  Learn to capitalize.  "Thanks, Your Facebook" ????

Well, whoever programmed this worm to send out this fake e-mail needs to work on it a lot more when it comes to presentation.

Received: (qmail 14489 invoked from network); 26 Apr 2010 19:24:49 -0400
Received: from unknown (HELO LHZQXMPMNV) (113.227.200.139)
  by XXXXXXXXXX.XXX with SMTP; 26 Apr 2010 19:24:48 -0400
Received: from 113.227.200.139 by dev.null; Tue, 27 Apr 2010 07:24:46 +0800
Date:    Tue, 27 Apr 2010 07:24:46 +0800
From:    "Facebook Security" <login@facebook.com>
X-Mailer: The Bat! (v3.0.0.15) Educational
Reply-To: joelj1@TheLawnMan.com
X-Priority: 3 (Normal)
Message-ID: <115938311.59530933606448@TheLawnMan.com>
To: XXXXXXXXX@XXXXXXXXXX.XXX
Subject: Facebook Password Reset Confirmation! Important Message

A look at the originating IP address indicates that it came from China:

inetnum:      113.224.0.0 - 113.239.255.255
netname:      UNICOM-LN
descr:        China Unicom Liaoning province network
descr:        China Unicom
country:      CN
admin-c:      CH1302-AP
tech-c:       GZ84-AP
remarks:      service provider
status:       ALLOCATED PORTABLE
mnt-by:       APNIC-HM
mnt-lower:    MAINT-CNCGROUP
mnt-lower:    MAINT-CNCGROUP-LN
mnt-routes:   MAINT-CNCGROUP-RR
remarks:      -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks:      This object can only be updated by APNIC hostmasters.
remarks:      To update this object, please contact APNIC
remarks:      hostmasters and include your organisation's account
remarks:      name in the subject line.
remarks:      -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed:      hm-changed@apnic.net 20081208
changed:      hm-changed@apnic.net 20090508
source:       APNIC