Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Malware Spam harvesting Facebook Information

Published: 2012-08-27
Last Updated: 2012-08-27 13:40:02 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

A couple years back at our annual RSA "top threat" panels, one of the possible exploits I suggested was the use of social network information for more automated targeted e-mail. At that time, most "spear phishing" was done by first manually collecting information about the victim, then creating an e-mail based on that information. In short: The exploit didn't scale and was expensive. Most of what a half way skilled attacker can do can be done cheaper and faster by a decent python/perl script.

Since then, we have seen a number of mass mail campaigns using automated harvesting of social network information. For example, some of the early campaigns searched Linked-In for specific job titles. 

This latest one abuses information published on Facebook.  The spam appears to come from a "Facebook Friend" of yours. As a sample:

From: Some Friend <> Subject: FOR FIRSTNAME To: your@emailaddress

The e-mails contain what appears to be valid Yahoo DKIM signatures, so they are likely sent from compromised or throw away Yahoo accounts. "FIRSTNAME" would be the recipients first name, and "Some Friend" would be the friends name. Depending on your e-mail client, you may not see the email address used in the "From" header.

To double check your Facebook (or other social network) privacy settings, make sure you log out, then search for yourself on the social network and verify that the information you get back is in line with your privacy expectations.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

2 comment(s)
Diary Archives