Bad luck, or spear phishing? A tale of Facebook, the Better Business Bureau, and Columbian Drug Lords

There has been a concerning coincidence of events over the last 18 hours that's causing me some alarm. It first started at 11:51 last night when I received an email notification from Facebook (or so it appeared) that "you requested a new Facebook password." No big deal, right? Well, I hadn't noticed that email until after I had looked at the email received very early this morning from the Better Business Bureau (or so it appeared) notifying me of a complaint about my company that looked pretty legit:

I've gotten pretty suspicious over the years, so I while I was concerned that there was possibly an outstanding complaint against our company which caused some alarm (bad guys use this fear to get you to act without thinking first), I hovered over the hyperlink (on my mac) as a precation and saw this:

Now I'm no mac developer, but this doesn't seem right, especially when looking at the top level domain of the hyperlink: .cn (China).  Incidentally, hovering the link on a PC only shows you the top level, domain, and subdomain, without all the apple gobbly-gook in front. Finding the source IP from the internet header of the message, I do a who-is lookup and find the sender is registered in Columbia (no, not as in British or District of). Buenos Dias to you, Senores! Googling "applewebdata," I find some discussion on how this syntax runs internal commands on iOS and OSX devices. My sense of alarm increases.

Then I notice the facebook email. Knowing now that I might be under targeted attack, I am much more skeptical about that email. How do I know that it is legit?  Hovering hyperlinks and doing a who-is lookup on the source IP give me confidence that this email is actually legit, which can only mean one thing. This is not a phishing email, but someone (not me) is trying to reset the password of my Facebook account. The FB email gives me the chance to disavow the original password request, which I do only after being satisfied that this is really from Facebook.

I also take the precaution of changing my Facebook password, deactivating, then reactivating my account, and reviewing my security settings. Facebook has some great options for security, including two factor authentication using a registered mobile phone, login approvals, and registered devices.


I notice six registered devices, some that I recognize and others I don't. I disable all of them, and re-register my personal and work machines. I also log out of my mobile app session.

Out of the abundance of caution, I reset my personal email password and work domain password. I'm also running an AV scan on my OSX device.

This is a lot of work, and has taken up much of my morning. I doubt the average user would know what to do or have the inclination to take all these steps. I hope this blog serves to educate end users and technical folks alike to the dangers that exist out there. Be cautious, be suspicious, and be vigilant, because "the Devil prowls around like a roaring lion, seeking who he may devour." (who knows that reference?)

Is this a case of a targeted spear-phishing attack by Colombian banditos, or just an unfortunate coincidence just in time for Thanksgiving meal story-telling? I'm not sure, but it was one of the more believable spoofs I've seen to date.