Facebook, blaming a “temporary misconfiguration,” accidentally let spear phishers vacuum up users’ personal details so they could pose as friends and family and thus make their come-ons convincing, the company told Forbes on Wednesday.
Forbes staffer David M. Ewalt was alerted to the threat when he himself received two targeted spam messages in the preceding week, both sent to a personal email address registered with his Facebook account.
Both emails appeared to come from someone he interacts with on Facebook. The sender personalized the subject line with the text “for David.”
When Ewalt checked the messages’ header fields (here are instructions on how to do that), he saw his friend’s name in the “From” field, but the originating address wasn’t their typical account; instead, it was “a bogus-looking Yahoo! Philippines email,” he wrote.
He quickly found that others had reported similar spear phishing Facebook emails, all received in the past few weeks.
Facebook told Forbes that it has discovered what it called a “single, isolated campaign that was using compromised email accounts to gain information scraped from Friend Lists due to a temporary misconfiguration on our site.”
The social network said it’s since enhanced its scraping protections to protect against such attacks and will continue to investigate, but that there’s been neither a mass compromise of Facebook accounts nor any leak of private information.
According to Ewalt, the spear-phishing emails pose as messages from close friends or family members, address the intended victim by name in the subject line or body of the message, and include a link to a website controlled by the spammers, all meant to exploit people’s tendencies to click on strange links if they come from those whom they trust.
So, has Facebook now fixed the problem? Perhaps not judging by this tweet from Reuters reporter Joseph Menn:
While Facebook tries to get to the bottom of the problem, here are its recommendations on the steps users should take to protect their accounts:
- Review your security settings and consider enabling login notifications.
- Don’t click on strange links, even if they’re from friends, and notify the person if you see something suspicious. How do you determine if a link is “strange”? Hover over a link without clicking on it. You’ll see the full URL of the link’s true destination in a lower corner of your browser.
- Don’t use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don’t trust the sender. Instead, navigate to the website directly.
- Be suspicious of any email with urgent requests for login or financial information, and remember, unless the email is digitally signed, you can’t be sure it wasn’t forged or spoofed.
- Don’t accept friend requests from unknown parties.
- If you come across a scam, report it so that it can be taken down. Facebook earlier in the month introduced a dedicated email address for reporting phishing scams: firstname.lastname@example.org.
- Don’t download any applications you aren’t certain about.
- When accessing Facebook from places like hotels and airports, text “otp” to 32665 to receive a one-time password to your account.
- Visit Facebook’s security page and read the items “Take Action” and “Threats”.
And on a related note, how do we verify whether email addresses are fake? Well, you could alway ping it.
Tech blogger Amit Agarwal wrote up instructions on how to ping an email address to determine if it was real of fake.
Or you could plug the questionable email address into this nifty little email verifier I came across.
It seems to work. Therefore, I’m sorry to report, NehemiahHesters@lisavaas.com, that you don’t exist, so I guess I can’t “Buy Ciails and Viarga online,” which is a shame, since they sound like new drugs, tropical resorts, or a combination of both – the last of which strikes me as genius.
Spear fishing image from Shutterstock.