Facebook recently announced that they uncovered an incident where fraudsters used compromised email addresses to scrape lists of Facebook friends due to a misconfiguration on their site. The fraudsters would then target phishing emails to the owners of the email addresses purporting to be from a Facebook friend.
Many phishing emails can be dismissed as scams due to poor grammar and other tells, but when claiming to be from a known friend or acquaintance the receiver is more likely to open the email, download a malicious attachment or click on a malicious link. These targeted phishing tactics, known as spear phishing, have been successful for several years often targeting businesses by impersonating real employees or departments. But with the rise of social media fraudsters are also able to target consumers using personal information and the names of people the victim interacts with via social media sites.
Because of a misconfiguration, fraudsters that had obtained email addresses associated with Facebook accounts were able to scrape the list of names of the Facebook friends associated with that account. They would then send phishing emails to the known email address alleging to be from a Facebook friend, or contact. While the spammers changed the From field to the name of a victim’s Facebook friend, a closer look would show the email coming from an unknown address with a free email domain, such as Yahoo!. Facebook has since enhanced their scraping protections to prevent similar types of attacks and will continue to investigate this case, which they claim was a “single isolated campaign.”
Spear phishing once took careful planning and research, and for this reason fraudsters targeted businesses because of the greater potential earnings per successful scam. But as a large portion of the internet population uses social media, and these accounts are generally associated with an email address, spammers have more ammunition for their spear phishing campaigns and are now launching these attacks against consumers on a much larger scale. Before sending phishing emails to a new email address, fraudsters can use bots to find any social media information associated with that email address and this information can be used to make phishing attacks more targeted and more likely to dupe the victim.
For more information: Facebook Says ‘Misconfiguration’ Allowed Spammers to Impersonate Users