| Written by

At RANDOMTYPE we run our clients through Rackspace for our hosting services. Rackspace has great support and a variety of services. One such service we use them for is email. One benefit of Rackspace email, is that it’s setup to not accept bulk email sending which prevents spam on compromised email accounts and the like.

This morning we received a notification from Rackspace that one of our clients had exceed the send limit and that their email account had been temporarily disabled. Obviously a problem for our client, so it was time to put on the investigator cap and dig in.

The shutoff notification contained a copy of the email that was being sent out. Written in the email was the following:

Helen Stevens commented on your Wall post.
Helen wrote: “you are full of shit!”

Those are hurt words! The email looked like this:

Example phishing email

Yikes! That is a really authentic looking email. Which is what our client was going to send out to some 400+ recipients, which thankfully Rackspace blocked. Now I can’t know for sure, but likely our client received that same email and followed one of the 3 links that appeared on that page. So where do those links go?

Digging into the html behind the email, turns out all the links go to a malicious site that isn’t Facebook (go figure) at the address: http://cefalo.de/neu/neu.html. Here’s the screenshot of that website:

Facebook Phishing Login Screen

Other than a bad url in the title bar, that website looks like Facebook and there is no fault to be placed on someone that unknowingly enters their email and password into that site. Doing a check on the root of that domain (http://cefalo.de) reveals the following page:

Root domain of phishing website

So it’s easy to conclude that the website owner doesn’t know their website has been compromised and is being used to launch phishing attacks (albeit they do now since I sent them an email informing them as much.) The sad thing is that it doesn’t look like this could have been prevented automatically for our client. Doing a check using McAfee’s SiteAdvisor turned up the following sunny report:

McAfee logo certifying the site as safe

This really got me to thinking. Are the tools to detect phishing only re-active? Namely do they require enough potential victims to declare a webpage as unsafe before they’re flagged as such? Or are there any tools out there that are preventative? A couple of ideas come to mind on how that could be accomplished… but that seems like a hard problem – much like spam was back in the day…

  • Xpir8

    Thanks I got that email & am just checking it out.. good info so many spoof emails these days!

  • Web designer

    We also have a client that received this email.  They did click the link, however, they did not enter their username and password.  From you investigation, was this a phishing attempt to capture the user’s Facebook credentials – or did the page have malware/spyware?

    Thanks in advance for your help

    • Gavin Miller

      The page had malware on it according to one test suite that I ran it against, and they were also targeting Facebook credential capturing. So a bit of both really.