Spear Phishing using Facebook activity

Spear phishing is an extremely potent hacking vector that combines social engineering with phishing. Basically, an attacker tries to learn enough about a specific victim to inform the design of a fake email that the victim is more likely to think is legitimate and thus open and engage with. For a detailed example of spear phishing in action, see this account of how the Onion’s Twitter account was hacked.

Standard phishing is generally thought of as a brute force attack in which the attacker crafts fake emails meant to fool the broadest set of people possible (e.g., you’re much more likely to see a phishing email claiming to be from a large national bank, like Chase or Bank of America, than a small regional bank). Whereas spear phishing has conventionally been viewed as a more bespoke approach that is targeted at a specific individual or organization. So the current conventional wisdom is that normal phishing attacks are relatively easy to spot, and only relatively sophisticated attackers going after high-value targets, like access to government or corporate systems, use spear phishing. But what if that’s changing?

Over the last several months, I have been the target of what might be a new, more scalable, approach to spear phishing. I have been receiving phishing emails that are sent using the names of people I know but not their email addresses (see below).

I was at first confused at how the attackers were coming up with these names. My first fear was that they had hacked my email account and thus had access to my address book, but I have 2-step verification enabled and I didn’t see any suspicious access in the Last account activity.

Then as I was looking through my spam folder this week, I noticed a pattern: the names being used were all people who had recently commented on my Facebook posts. This is just a hypothesis and there’s a lot I still don’t understand about the attack, like how they associated my email address with my Facebook profile, how they are scraping the comments on my Facebook posts, and most of all why they would target me.

But if in fact they are scraping Facebook activity to come up with the names to use as senders, this opens up a much more scalable (and thus dangerous) vector for spear phishing. I’m very curious to hear if anyone else has experienced similar attacks and/or has any other information to add.

24 thoughts on “Spear Phishing using Facebook activity

  1. Review your facebook apps. Are there any suspicious websites you’ve signed up to with facebook-login? Even half-suspicious? When you sign up for these apps they get 1. your email, 2. if you’ve agreed to it: names and activity from your friends. Even if none of your facebook apps looks suspicious, they might have been hacked and the hacker thus might have gained info about you and your friends on facebook. That’s one possibility I’d consider.

  2. I’ve experienced something similar last week. An email, purporting to be from my sister, with a link to romanian domain name and web page.

    Immediately I knew it was phishing, but on further investigation I realized it was not her email address at all.

    Good to know I’m not alone in this.

  3. Looks like someone have used the latest Facebook privacy vulnerability exploit. [URL Redacted] This exploit let you send private messages from everyone.

    1. I believe this is a different issue. This post is about emails looking like they were sent by people who have commented on my Facebook posts. There are no Facebook private messages involved in this particular attack.

  4. Several months ago, several of my wife’s friends complained that she was sending her spam. I was suspicious that something else was going on because my wife only uses GMail, and other mail programs on her accounts aren’t even configured. So we asked her friends to forward the spam to me. It was more or less identical to your example: it used her name, but the email was from a Yahoo! account that belonged to the spammer.

    So: it’s common, it’s been going on for at least 6 months. And it will probably become more common and more dangerous. Ironic that I read this the same morning that I read about Facebook’s partnership with Axciom.

    (May blog about this on O’Reilly’s site…)

    1. The only reason I wrote this post is that I couldn’t find any information on these types of attacks. So the more people who are aware of them, the better.

    2. Yahoo says these spams are due to a password hack and you should change your password immediately. Just adding upper lower case, a number, a special symbol increases the difficulty of hacking many fold.

  5. I received an email a few weeks ago I thought was related to an FB friend which turned out to be linked to somewhere else, don’t remember where exactly…

  6. My wife and sister have both received invites from accounts created that look like mine, have my name and profile picture and everything.

    Obviously I told them both to decline, it seems they are also utilising this aisle of attack.

    If you receive friend requests from people you already had on your friends list, double check that they aren’t fake before accepting, even if you need to mail the person or call them to verify.

  7. Unfortunately facebook tends to leave everything wide open unless you restrict it, rather than the sensible way round. Turn off the app platform (unless you’re desperate to play candy crush) and set the permissions so that only friends can see your posts, and you should be OK unless your friends are the spammers.

  8. It’s too bad all of this bad behavior is facilitated by the way our information is being marketed to various commercial concerns. They can just buy our friends from Facebook now…

  9. Unless I’m overlooking something , I’ve seen this sort of thing years ago when an acquaintance had his/her pc/email account compromised and the spammer sent spam to everyone in the address-book claiming to be from another randomly selected name in it.

  10. I can’t imagine why anyone would sign in to any site other than facebook using their facebook login. That’s like letting the hotel make a copy of your house key so you can “conveniently” use it to access your hotel room. It violates every principle of common sense security. Any web site that requires me to connect only via facebook will not get my participation. As to facebook apps, I can count the ones I use on the fingers of an amputated hand… zero. And FB friends who dun me with their daily apps activity get blocked along with the politics. I just don’t get the whole “share everything with everybody” mentality. Of COURSE you are going to have privacy violations, the whole thing is one great big pane of glass. Facebook constantly nagged me to provide my home town, my workplace, my high school – as if I’d be kicked off if I didn’t. I attempted to type NOYFB into all the fields, but – get this – you can’t come from a high school that facebook doesn’t already have a page for! So I ended up filling all of these profile fields with ridiculous things and I urge any other FB users to do the same. Oh yeah, FB has that nagging “friend finder” that asks for your email password. What part of “Security Prime Directive” do the facebutchers not get? Unbelievable. When one of my friends who should know better shows up “Joe Blow used friend finder to blah blah blah” I cringe because I’m probably in Joe Blow’s address book. Well I don’t cringe too much. My email address on facebook is different from the ones I use for other stuff.

  11. I’ve gotten a number of these from family. Like lots of folks, I use facebook to keep up with family living far away. My 77 year old mother uses it to check pictures of the grandkids. How do we explain this to a 75 or 80 year old (or someone else who is technically niave) who thinks that she’s getting pictures of the grandkids?

  12. First of all, is your facebook profile public? Which makes it easy to scrape your facebook wall.

    It might or might not be related, but one thing I find interesting with Facebook is how Facebook knows about my gmail contacts. I have a Gmail contact that I regularly send emails too in Gmail. Only in Gmail. He is NOT one of my facebook friends.

    When I’m logged in to Gmail and Facebook at the same time, Facebook shows me his name and profile as “People You May Know” in Facebook in the top right hand corner.

    Interesting because I have never searched for him in Facebook.

      1. Nope. I don’t have any of his friends. His friends are Asian and mine are Caucasian and Hispanic. I think Facebook is looking at my gmail emails since it only happens when I’m logged in to both at the same time.

  13. Yes, I’ve seen this with friends names from Facebook. They came with either .cz addresses or yahoo addresses. I would love to know if it is possible to scrape Facebook.

  14. I’ve been getting a lot of these for two or three months now. A lot come from Yahoo accounts. I forwared them to Yahoo and got a form e-mail directing me to their SPAM reporting site. I checked it out. The only thing you can do there is report SPAM you are recieving as a Yahoo customer. I guess they don’t care if their customers are the source even if the practice is illegal.

    An alternative is to forward them to the US Department of Justice. They have a SPAM reporting e-mail address but I don’t remember exactly what it is right now – Google it.

Leave a Reply