My next class:

Malware Spam harvesting Facebook Information

Published: 2012-08-27. Last Updated: 2012-08-27 13:40:02 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

A couple years back at our annual RSA "top threat" panels, one of the possible exploits I suggested was the use of social network information for more automated targeted e-mail. At that time, most "spear phishing" was done by first manually collecting information about the victim, then creating an e-mail based on that information. In short: The exploit didn't scale and was expensive. Most of what a half way skilled attacker can do can be done cheaper and faster by a decent python/perl script.

Since then, we have seen a number of mass mail campaigns using automated harvesting of social network information. For example, some of the early campaigns searched Linked-In for specific job titles. 

This latest one abuses information published on Facebook.  The spam appears to come from a "Facebook Friend" of yours. As a sample:

From: Some Friend <randomname@yahoo.co.id> Subject: FOR FIRSTNAME To: your@emailaddress

The e-mails contain what appears to be valid Yahoo DKIM signatures, so they are likely sent from compromised or throw away Yahoo accounts. "FIRSTNAME" would be the recipients first name, and "Some Friend" would be the friends name. Depending on your e-mail client, you may not see the email address used in the "From" header.

To double check your Facebook (or other social network) privacy settings, make sure you log out, then search for yourself on the social network and verify that the information you get back is in line with your privacy expectations.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

2 comment(s)
My next class:

Comments

The interesting thing is that I am getting Spam using the names of FB friends sent to an e-mail address that is not my primary FB e-mail, and isn't visible, as far as I can see.
Same here. The messages are directed to a legacy email address that is my login email address for Facebook, but is not my primary email address and as far as I know isn't available to any of my FB friends. This would seem to point more at a server-side breach than to a user malware exploit, although it's hard to be sure that there isn't an API somewhere that exposes the secondary email address.

Diary Archives