Spear-Phishing: Is Facebook the Source of Your Spam?

Screen Shot 2014-02-02 at 3.10.49 PM

Have you received an email that said it was from someone related to you, but upon closer examination you saw that it was from an unknown email address, and it contained a spam link in the email’s body? If so, you might have thought that either you or your friend had been hacked, but this is something sneakier: spear-phishing.

Yes, I have received spear-phishing emails, and as a Forbes article explains…

…it used to be rare. But a new breed of spammers are tapping into the vast amount of personal data available on sites like Facebook, Google+ and LinkedIn to learn all about you, and then pose as your closest friends in millions of fraudulent emails.

The new breed of spear-phishing emails appear to be sent by a close friend or family member, address the victim by name in the subject line or body of the message, and include a link to a website controlled by spammers. They exploit the fact that you’re more likely to click on strange links if they’re sent by a trusted friend.            Forbes August 29, 2012


Symptoms You Might Have a Spear-Phishing Problem

It’s simple enough to check incoming emails sender’s addresses in the Gmail web portal (which is what I primarily use), so when a message came that appeared to be from Kev but it landed in my spam folder, it was easy to find that it actually wasn’t sent from him.  I found the email strange enough that I captured the screenshot and forwarded it to Kev, but because it wasn’t from his email address and because I didn’t click the link, I figured neither of us had been hacked.

A few days later, I received a similar email (which also landed in my spam folder) which on first glance appeared to be from my daughter. Once again the email address didn’t match, so I deleted that one. I did find it odd that two emails addressed from people I know and trust had come in from the wrong email addresses, but I didn’t think to investigate until I got this text from my brother-in-law, Mark.

text from Mark

Here’s the email he received …

email from judie stanford that isn't from judie stanford

… and of course, it wasn’t from me.

For a moment, I thought that maybe I had been hacked, but then I thought to ask Mark about who the email had actually been sent from. In this case, the email was from a calquipcorp address.

So how would a spammer even know that my husband, my daughter, my brother-in-law and I were all connected? How would they get our names? If they knew to start with me, then I could understand them being able to find my husband’s or my daughter’s names, but I don’t think that I have ever acknowledged the relationship I have with my brother-in-law anywhere … except for Facebook.


The Source of Your “Infection”? Could Facebook Be the Culprit?

A bit of searching, and it appears that Facebook may actually be the source for this personal connection information.

One of the things that many people miss in FB’s fine print is that if you “Like” something that comes from a FB page (e.g., a group, company, or whatever), it results in the information you only share with your FB friends being exposed to the owners of the page. That includes when you “Like” a picture or a posting that someone else reposts. A really easy way to harvest information with FB is to create a page and post one of those pictures that has a slogan ending “Please Like this if you agree.”Deman_nu


Click here for a more detailed explanation

Obviously, not all apps or pages on Facebook are harvesting your information for nefarious reasons, but it’s really not too big of a reach to imagine that if someone wanted to create a new kind of spam, one that relied on relationships rather than random senders, this might actually be taking place, and it is. Evidently this type of harvesting has been going on for some time, as many of the posts in the Google forum where I learned about this vulnerability were written in 2012.

In Facebook, you can search for people by their email address. The spammers must be doing email searches, going to the page, and if the friend list is public sending the spoofed emails. It seems to be choosing relatives or people with the same last name for the spoofed “From” name. – ejgejg

And then I found this:


Facebook has FINALLY released a statement about this problem to ONE media outlet:  Forbes.  They also state that even with the “misconfiguration” that allowed spammers to obtain user information: “To be clear, there was neither a mass compromise of Facebook accounts nor any leak of private information”  However, they don’t explain how the spammers obtained the email address to send the spam too, since many people’s email address is private on Facebook, (as are their friends list).  I expect more information to be released as more media outlets pick up on this.

Here’s another link regarding how this happened:  http://isc.sans.edu/diary.html?storyid=13981&rss

In the mean time, you should forward all emails that are linked to this problem to ph…@spamreport.facebook.com21Red

But of course, the problem didn’t stop in 2012. As recently as this week, there is talk of a Facebook bug that can expose users to privacy hacks.

“Think about it like this: You download an app that promises to do one thing, but actually comes from a hacker who wants to seriously invade your privacy by mining your data,” reads a post on the company’s blog. “Given the right coding, this developer could trigger the same effect, basically making it impossible for a user to disconnect this malware app and revoke its permission to access your personal information.”

In other words once you are “infected” it is difficult to shake a spear-phishing infection.

The Remedy to a Spear-Phishing Infection.

So how can you stop it, short of killing your Facebook account? It may be too late to get your name off these spammer’s databases, but here are some immediate steps to take:

1. When you receive an email from anyone, even those who are related or close to you, that doesn’t look “right”, check to see what email address was actually used to send it; if it is not their email address, it is a spear-phishing attempt.

2.. It may be too late to stop this round of spear-phishers, but you should still keep your Facebook privacy settings under control.

  • Set it so that only your friends can see your friends list

Screen Shot 2014-02-17 at 7.18.54 PM

  • Set it so that only your friends can see your family members (mine had been set so that friends of friends could see them, oops!)
  • Make sure that your address, phone numbers, and email addresses are only visible to friends (assuming you want them to have that information)
  • Don’t friend people you don’t actually know or that you haven’t actually chatted with outside of a Facebook request
  • Make sure that you use the “View As” Privacy feature on Facebook often so you can see exactly what someone who isn’t a friend can see. If you are comfortable with what’s showing, that’s good. If not, then you can and should change it.

Screen Shot 2014-02-17 at 7.29.56 PM

  • Reevaluate the Facebook apps that you use and consider deleting ones you no longer use, as one of them may be the source of your data leak.

Screen Shot 2014-02-19 at 12.57.09 PM

You’ll notice that I had given permissions to 231 apps, more than half of which I had completely forgotten about; I have since pruned that down to 114 apps.

  • You should adjust the settings on what people who use apps can share about you. According to Facebook, “People on Facebook who can see your info can bring it with them when they use apps. This makes their experience better and more social. Use the settings below to control the categories of information that people can bring with them when they use apps, games and websites.”

Screen Shot 2014-02-19 at 1.15.44 PM

Forbes also offered up some additional steps you might take. We’ll be posting them to our Facebook page later today.

It’s obvious that whether the 2012 Facebook “misconfiguration” was corrected or not, the collected data problem is ongoing. The spear-phishing emails are no longer only from Yahoo accounts, they are now from Cox, calquipcop, and who knows how many others. We have to be vigilant, and we have to remind our less tech-savvy friends to be careful.

Have you received any spear-phishing emails? If so, take a moment to check (and change) your privacy settings, and then tell us all about it!

As an Amazon Associate, we earn from qualifying purchases. If you are shopping on Amazon anyway, buying from our links gives Gear Diary a small commission.

About the Author

Judie Lipsett Stanford
Judie is the co-owner and Editor-in-Chief of Gear Diary, which she founded in September 2006. She started in 1999 writing software reviews at the now-defunct smaller.com; from mid-2000 through 2006, she wrote hardware reviews for and co-edited at The Gadgeteer. A recipient of the Sigma Kappa Colby Award for Technology, Judie is best known for her device-agnostic approach, deep-dive reviews, and enjoyment of exploring the latest tech, gadgets, and gear.