Fake Facebook Email Uses Copyrights to Trick EI-ISAC Members

Malicious actors recently targeted members of the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) with a copyright-themed fake Facebook email.

Inside the Fake Facebook Email

In mid-May, an EI-ISAC member received an email that claimed to have originated from Facebook. The "From" field displayed "Facebook Business" as its sender, and the email arrived with the subject line "Facebook Copyright #10034576734223762." It also used "Facebook Team" in the signature block and listed a physical address for Facebook in the footer.

Fake Facebook Email Image

Screenshot of the fake Facebook email. (Source: EI-ISAC)

The body of the email informed the recipient that Facebook had taken down some of their content as the result of a copyright infringement. It then instructed them to get the "complaining party" to contact Facebook with the original reference number so that its administrators could restore the content. 

The email included a working Facebook link to provide additional context. But the link also served another purpose.

"The embedded link directed to a Facebook page; however, it was a 'this page isn’t available' page," explained Timothy Davis, Elections Operation Analyst at the EI-ISAC. "It is possible that was designed deliberately (sending to the real Facebook site but a page that doesn’t work) to further increase the chances of communication."

What Gave Away This Email as a Fake

Those responsible for sending the email fell short of crafting the perfect ruse in a couple of ways.

First, the attackers used limited spoofing techniques with the sender email address, "metahelp1255@outlook[dot]com." The domain name here is "outlook.com," not "facebook.com" or "meta.com." True, "meta" appears in the username, but the addition of "help1255" raises the specter of something phishy going on.

Davis agrees.

"The biggest flag here is the 'from' email address – very obviously a fake email," he noted. "It was likely designed to get someone to respond back to this and in the end get their login information out of them or some other piece of information."

Second, the physical address included in the footer is incorrect. The street address is particularly at fault. Meta / Facebook is not located at "1 Facebook Way," as the email claims; its headquarters' address is actually "1 Hacker Way."

Unpacking the Attack Methodology

For their own malicious purposes, bad actors have a compelling reason to target EI-ISAC members' Facebook login credentials and other information.

"These Facebook pages for local jurisdictions represent a source of good information," Davis noted. "Constituents might turn to these pages for legitimate information like changes to polling hours and locations. People could fall victim to this mis-/dis-information."

There's a human factor at work here. If they miss the opportunity to vote, some people might just give up for that election cycle. This can undermine the results of an election if not everyone can vote as they had originally intended.

It does something else, too.

"Impersonation attacks involving an elections organization, even just their social media accounts, can fuel the misinformation cycle," Davis pointed out. "If they got into a victim's Facebook account, is it possible they got into other things? Regardless of the answer, such considerations spread fear and uncertainty about the security of the vote, thus threatening the integrity of the election."

How to Defend Against a Fake Facebook Email

Organizations in the election community can protect themselves against this fake Facebook email by investing in network monitoring and logging. Even so, those measures are secondary to focusing on security awareness training. These efforts aren't just critical for helping employees recognize common cyber hoax scams. They're also essential in helping employees not react with fear to a suspicious email but to analyze it critically and take action.

More than that, security awareness training is most effective when implemented on an ongoing basis. This reflects the fact that many of today's social engineering attacks amount to more than just emails with bad grammar. Sophisticated attack campaigns emerge everyday, but employees won't know about them and be able to report them to IT unless they receive regular security education.

The EI-ISAC can augment these awareness campaigns by alerting member organizations to the the latest attacks and attack types. That includes malicious campaigns that are actively targeting the elections community. None of this is possible unless members report what they see. And in doing so, they help election organizations everywhere.