Malware Spam harvesting Facebook Information

A couple years back at our annual RSA "top threat" panels, one of the possible exploits I suggested was the use of social network information for more automated targeted e-mail. At that time, most "spear phishing" was done by first manually collecting information about the victim, then creating an e-mail based on that information. In short: The exploit didn't scale and was expensive. Most of what a half way skilled attacker can do can be done cheaper and faster by a decent python/perl script.

Since then, we have seen a number of mass mail campaigns using automated harvesting of social network information. For example, some of the early campaigns searched Linked-In for specific job titles. 

This latest one abuses information published on Facebook.  The spam appears to come from a "Facebook Friend" of yours. As a sample:

From: Some Friend <> Subject: FOR FIRSTNAME To: your@emailaddress

The e-mails contain what appears to be valid Yahoo DKIM signatures, so they are likely sent from compromised or throw away Yahoo accounts. "FIRSTNAME" would be the recipients first name, and "Some Friend" would be the friends name. Depending on your e-mail client, you may not see the email address used in the "From" header.

To double check your Facebook (or other social network) privacy settings, make sure you log out, then search for yourself on the social network and verify that the information you get back is in line with your privacy expectations.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS San Francisco Winter 2022


4601 Posts
ISC Handler
Aug 27th 2012
The interesting thing is that I am getting Spam using the names of FB friends sent to an e-mail address that is not my primary FB e-mail, and isn't visible, as far as I can see.
Same here. The messages are directed to a legacy email address that is my login email address for Facebook, but is not my primary email address and as far as I know isn't available to any of my FB friends. This would seem to point more at a server-side breach than to a user malware exploit, although it's hard to be sure that there isn't an API somewhere that exposes the secondary email address.

Sign Up for Free or Log In to start participating in the conversation!