Facebook glitch lets spear phishers impersonate users' friends and family

Filed Under: Facebook, Featured, Phishing, Privacy, Social networks, Spam, Vulnerability

Spear fishing. Image from ShutterstockFacebook, blaming a "temporary misconfiguration," accidentally let spear phishers vacuum up users' personal details so they could pose as friends and family and thus make their come-ons convincing, the company told Forbes on Wednesday.

Forbes staffer David M. Ewalt was alerted to the threat when he himself received two targeted spam messages in the preceding week, both sent to a personal email address registered with his Facebook account.

Both emails appeared to come from someone he interacts with on Facebook. The sender personalized the subject line with the text "for David."

When Ewalt checked the messages' header fields (here are instructions on how to do that), he saw his friend's name in the "From" field, but the originating address wasn't their typical account; instead, it was "a bogus-looking Yahoo! Philippines email," he wrote.

He quickly found that others had reported similar spear phishing Facebook emails, all received in the past few weeks.

Facebook told Forbes that it has discovered what it called a "single, isolated campaign that was using compromised email accounts to gain information scraped from Friend Lists due to a temporary misconfiguration on our site."

The social network said it's since enhanced its scraping protections to protect against such attacks and will continue to investigate, but that there's been neither a mass compromise of Facebook accounts nor any leak of private information.

According to Ewalt, the spear-phishing emails pose as messages from close friends or family members, address the intended victim by name in the subject line or body of the message, and include a link to a website controlled by the spammers, all meant to exploit people's tendencies to click on strange links if they come from those whom they trust.

So, has Facebook now fixed the problem? Perhaps not judging by this tweet from Reuters reporter Joseph Menn:

While Facebook tries to get to the bottom of the problem, here are its recommendations on the steps users should take to protect their accounts:

  • Review your security settings and consider enabling login notifications.
  • Don’t click on strange links, even if they’re from friends, and notify the person if you see something suspicious. How do you determine if a link is "strange"? Hover over a link without clicking on it. You'll see the full URL of the link's true destination in a lower corner of your browser.
  • Don't use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don't trust the sender. Instead, navigate to the website directly.
  • Be suspicious of any email with urgent requests for login or financial information, and remember, unless the email is digitally signed, you can't be sure it wasn't forged or spoofed.
  • Don’t accept friend requests from unknown parties.
  • If you come across a scam, report it so that it can be taken down. Facebook earlier in the month introduced a dedicated email address for reporting phishing scams: phish@fb.com.
  • Don’t download any applications you aren’t certain about.
  • When accessing Facebook from places like hotels and airports, text "otp" to 32665 to receive a one-time password to your account.
  • Visit Facebook’s security page and read the items "Take Action" and "Threats".

And on a related note, how do we verify whether email addresses are fake? Well, you could alway ping it.

Tech blogger Amit Agarwal wrote up instructions on how to ping an email address to determine if it was real of fake.

Or you could plug the questionable email address into this nifty little email verifier I came across.

It seems to work. Therefore, I'm sorry to report, NehemiahHesters@lisavaas.com, that you don't exist, so I guess I can't "Buy Ciails and Viarga online," which is a shame, since they sound like new drugs, tropical resorts, or a combination of both - the last of which strikes me as genius.

Spear fishing image from Shutterstock.

, , , ,

You might like

10 Responses to Facebook glitch lets spear phishers impersonate users' friends and family

  1. Benjamin Duncan · 1133 days ago

    I discovered one of these today in my GMail Spam folder (which I check everyday). I just deleted it thinking it was either an old compromised account, or someone had picked my friend's name at random. However it fits the pattern above, and it was sent to an email lnked to my Facebook account. Even if it's fixed the Spammers may already have downloaded and sold the data.

  2. Claire Williams · 1133 days ago

    I've had three in the last 7 or so days. Its disgusting that FB have allowed this to happen. I agree with Benjamin's comment and wonder how far my info has got in the spam chain?

  3. Mara Alexander · 1132 days ago

    I got 2 of these, also. What this article doesn't address (and really should), is the fact that once spammers have your email address, they NEVER give up. Your email address will be spammed and sold to other spammers. I still get spam in an old email address that hasn't been used since 2001.

  4. suzette emsley · 1128 days ago

    thIs has happened to me twIce. I contacted FB and they told me to change the password. that dId not work eIther so I had to post on my feed about It an warn all my frIends not to open anythIng from me. I also changed my emaIl.

  5. Kim B · 1123 days ago

    Friends are receiving emails from "me". I've changed all my passwords and they're still receiving them. My friends list on FB is NOT public. There's more to this than FB is telling us....

  6. Nope dont think its fixed have received at least 17 of these since the 29th of october and many more before that date.

  7. Greg · 1031 days ago

    Who's friend list was scraped? The one who is receiving the email or the one whose name appears as the sender of the email?

  8. Cindy · 937 days ago

    Help. Facebook is continuously adding to my friends list on my online sidebar. I have unfriend me, I have changed all my privacy settings. I have changing my FB password and my email password. I don't know what to do. It is irritating to my friends to get emails from me to friend me.

  9. Jason · 904 days ago

    I'm sure Facebook did fix the hole right away, but the damage was done. The bad actors possessed our names and friend's lists.

    I'm really annoyed that Facebook hasn't gotten any grief for this. The phishers/spammers definitely are continuing to use the data on a daily basis. I know this because I am still getting the e-mails myself AND they are now spoofing one of my e-mail addresses (not my FB address) into the From field on these e-mails.

    They send out the spam messages in 2-3 batches every morning. I know this because each time they do it, I immediately get 10-40 "undeliverable" messages. I also get people daily replying to their "friends" saying: "Hi [friend's name]! No, I've never heard of this diet. Do you think I need to lose weight?" Sigh.

  10. rabin · 816 days ago

    a little more information about the types and contents about facebook glitch would have been great, These folks <a href="http://www.facebookloginhelp.net" target="_blank">www.facebookloginhelp.net have tried something good.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.