• Print

Phishing in Facebook’s Pond

Facebook scraping could lead to machine-generated spam so good that it's indistinguishable from legitimate messages.

A recent blog post inquired about the incidence of Facebook-based spear phishing: the author suddenly started receiving email that appeared to be from friends (though it wasn’t posted from their usual email addresses), making the usual kinds of offers and asking him to click on the usual links. He wondered whether this was a phenomenon and how it happened — how does a phisherman get access to your Facebook friends?

The answers are “yes, it happens” and “I don’t know, but it’s going to get worse.” Seriously, my wife’s name has been used in Facebook phishing. A while ago, several of her Facebook friends said that her email account had been hacked. I was suspicious; she only uses Gmail, and hacking Google isn’t easy, particularly with two-factor authentication. So, I asked her friends to send me the offending messages. It was obvious that they hadn’t come from my wife’s account; they were Yahoo accounts with her name but an unrecognizable email address, exactly what this blogger had seen.

How does this happen? How can a phisher discover your name and your Facebook friends? I don’t know, but Facebook is such a morass of weird and conflicting security settings that it’s impossible to know just how private or how public you are. If you’ve ever friended people you don’t know (a practice that remains entirely too common), and if you’ve ever enabled visibility to friends of friends, you have no idea who has access to your conversations.

The day I read this post, I also read about Facebook’s deal with Acxiom and other information vendors. If you know anything about Acxiom, you know that they’re one of the biggest brokers of personal data in the country. Acxiom’s data is supposedly “anonymized,” but if you know anything about data de-anonymization, and how much easier de-anonymization becomes when you have access to multiple data sources, you know that’s not much comfort. As Jeff Jonas has pointed out, given sufficient data and a few pieces to the puzzle, it’s easy to locate, say, the Turkish guy who lives near the O’Reilly employee in Connecticut. If you’ve never searched for yourself online, you should; you’ll be surprised what’s known about you.

Facebook is buying data, not selling it, and they would certainly argue that there’s no way someone reading Facebook pages could reverse-engineer the information that they’ve bought from Acxiom. I’m not so certain, particularly given Facebook’s history as a company that pushes the limits, then apologizes, and adds even more arcane security settings. It’s not as if personal information hasn’t leaked out many times over the years, going back to a surprise marriage proposal that was spoiled when Facebook told the groom’s friends that he had just bought an engagement ring. Facebook is trying to build a legit ad placement business on top of their social graph, but in doing so, have they inadvertently built the greatest asset for cybercrime that the world has ever seen?

The issue isn’t that Facebook will be phishing you themselves. It’s that your Facebook pages will be scraped, whether Facebook likes it or not, and all the data that can be extracted about you will be in the phisher’s hands. The recent phishes that I’ve seen have been primitive. It’s fairly easy to look at a message that says “Hey, Mike, lower your credit card rate” and realize that it’s spam, even if it looks like it came from one of your friends. But that’s not the end of the road. It’s not hard to craft a message that really looks like it came from a friend, and offers you something that you might genuinely be interested in. Such a message might refer to things you’ve said online or know facts that you’ve only shared with friends. At that point, it’s much harder to resist. And we’re not necessarily talking about phishes trying to sell bogus credit card services: we’re talking about attempts to get at corporate data (“Hey, Mike, who’s going to be in the 10 a.m. meeting tomorrow? I’ve forgotten. BTW, loved your Radar post on Facebook”), other personal data, passwords, etc. And any message that can be crafted by humans could, without too much work, be generated by machines.

Our future will inevitably include lots of carefully personalized, machine-generated spam; that spam might be so good that it will be indistinguishable from a message you might legitimately receive from a friend. And that’s not going to be pleasant.

tags: , , , ,
  • Chris Ensey

    The issue also leads to more tactical phishing. If you are a retailer or bank and you have a large social engagement on facebook or another site, your customers are providing some fantastic leverage for the adversary to launch a successful phishing campaign with highly accurate information. The same activities are being perpetrated on LinkedIN as well: http://blog.digitalarmored.com/2013/05/anatomy-of-linkedin-spammer.html

  • floatingbones

    I have received a couple of these e-mails. Gmail is flagging them as spam. Since they’re flagging the pattern of messages, that indicates to me that the messages are not spear phishing — they’re casting a much broader net. @Chris is right — the same mechanisms could be used for a highly-targeted attack.

    Steve Gibson had a great discussion on his “Security Now!” podcast about Facebook’s marketing “EFF: How Facebook Monetizes”. The podcast is available through the usual channels and Steve provides transcripts (transcript of this episode is at https://www.grc.com/sn/sn-404.txt ). Steve was talking about the EFF’s memo https://www.eff.org/deeplinks/2013/04/disconcerting-details-how-facebook-teams-data-brokers-show-you-targeted-ads . My main takeaway was that we’re giving away too much information by using one e-mail address to all users. We’d be better off dithering addresses to aggregators like FB and Google or (far better) providing a unique e-mail address for every vendor relationship. I believe there’s an opportunity for e-mail vendors to provide a service where we have a different e-mail address for every connection.

    Also, Facebook must do a better job at aggressively shutting down those that scrub their pages and abuse the data. They need to have honey-pots in place to identify the scanning-bots and shut them down. If they ignore these leaks, they risk damaging their own brand’s reputation and increasing the exodus of users to services that pay attention to the details.

    • abcdef-g

      test

  • Goca Jote

    du te vjell adresa

  • Goca Jote

    I love you