You're only pretending to be my friend
August 31, 2012 12:10 PM   Subscribe

For the past week or so I have been receiving phishing emails at my non-Facebook email account which appear to be from my Facebook friends. The sender's name is one of my Facebook friends, but the email addresses are not their real email address. The subject line reads FOR (MY FIRST NAME) and the message contains a link (which I never click, of course). Clearly there has been some access to my friend list and my email address. I am not using any apps on Facebook, and never give apps access to my info—my privacy settings are pretty locked down, or so I thought. Facebook is absolutely no help on this. I can't find a way to even report this to them because their reporting mechanism asks for links and there are none. I've changed my password, and locked down my privacy settings even more. Any ideas about how this happened and how to fix the security hole?
posted by ljshapiro to Computers & Internet (19 answers total) 3 users marked this as a favorite
 
I have also been receiving phishing e-mails in this new format. I had not made the connection to Facebook, but both of the names used in the "from" line are Facebook friends of mine.
posted by alms at 12:18 PM on August 31, 2012


I am not using any apps on Facebook, and never give apps access to my info

Ah, but are your friends all so savvy? I get a round of that crap every time some vaguely-remembered high school classmate starts punching buttons.
posted by Lyn Never at 12:19 PM on August 31, 2012 [1 favorite]


Ah, but are your friends all so savvy? I get a round of that crap every time one of my friends uploads the entire contents of their address book.
posted by tilde at 12:24 PM on August 31, 2012


Hmm, haven't seen anything like that, unless it is getting filtered into my Spam folder. If it is coming from Facebook, it is possible someone installed a trojan Facebook app on their Wall, which is harvesting their friends list for email addresses. If you haven't installed any fishy games or apps, it is very likely that one of your friends did. You have to grant that level access to an app when you install, but it isn't a stretch to imagine a friend or relative not really paying attention to such things 'cause, "Cool! I want this pretty pictures/new game/crap application."
posted by insert.witticism.here at 12:24 PM on August 31, 2012


Is the name their full name or just their first name. I get spam all the time with a link for me supposedly from a friend and the first name will be my friend's name but will also be a fairly common name. There will be no last name. I would just flag it as spam and move on.
posted by amapolaroja at 12:48 PM on August 31, 2012


Response by poster: It's their full name, and I've received messages "from" Facebook friends who are not in my regular email address book, so I'm pretty sure Facebook is the common factor here. The one I received this morning is "from" someone with a very unusual name, using both first and last. Possibly someone else installed a trojan app, as insert.witticism.here suggests. It's really annoying that Facebook makes this so hard to report.
posted by ljshapiro at 12:56 PM on August 31, 2012


I've also had this happen from two of my Facebook friends, one of whom hardly uses Facebook and almost certainly doesn't use apps - She's tech-savvy and wouldn't give out her stuff. I actually emailed her the first time it happened, thinking maybe her info had been compromised, but then it happened with another friend a few weeks later. I told them both to change their Facebook passwords, just in case, but I don't want to spend a ton of energy remotely trying to explain to them that they need to go through their app list with a fine-toothed comb.

Are your privacy settings adjusted so that even your friends cannot see your email address? Mine are set so it's visible to my friends. I should lock that down one of these days...
posted by lizzicide at 1:02 PM on August 31, 2012 [1 favorite]


I've been getting the same format spam emails - about one-two a week since about the middle of July - with full names in the "from" field with a clearly incorrect email address - except my emails also have a date & time stamp under the link. The disturbing thing, to me, is that the subject contains my first name. Usually spammy emails do not have my first name, since it is not part of my email address. I know everything can be spoofed, but the "from" names are people that I would not expect to have fallen for clicking a bad link. (and obviously I have not been clicking either.) I didn't even think about connecting this whole experience to facebook. But it does make sense. And no, I don't know what to do about it.
posted by molasses at 1:06 PM on August 31, 2012


Lyn Never and tilde, perhaps you should stop using the mind meld technology quite so frequently.
posted by instead of three wishes at 1:20 PM on August 31, 2012 [7 favorites]


I've had one of these, an email from someone I only know on Facebook and have never emailed separately.

We figured it must be a Facebook app of some kind and since we're both ridiculously draconian in never installing FB apps that it must be someone that one of us knows with a less security conscious take on the app permissions thing.

It's just another reason that FB sucks hard. Your email's security is based on everyone you have as a friend not being dumb. Good luck with that.
posted by merocet at 1:22 PM on August 31, 2012


It's absolutely a Facebook hole. I just delete them (I'm getting two a day or so).
posted by Sidhedevil at 2:15 PM on August 31, 2012


I've been getting them for a while now too. All of them are FB friends and it always includes their name, but with a bogus email address. Sometimes my name is in the subject line, sometimes not.

I have no advice, other than DELETE.
posted by tacodave at 2:25 PM on August 31, 2012


Best answer: I've been getting these. One of the things Facebook allows (encourages) app/game programmers to do is suck down a list of all your friends and their contact information. Facebook makes it very easy to do this, and in fact is part of what they consider to be "Basic Information" (which is an odd spelling of "everything"). One of your friends installed a bad app who is using that info for bad things. Good luck tracking it down.
posted by rhizome at 3:36 PM on August 31, 2012 [3 favorites]


Best answer: And just to be complete, what is going on is that the spam has some random email address, sent from a spammer's server, with the "full name" of the email address set to one of your Facebook friends.
posted by rhizome at 3:38 PM on August 31, 2012 [1 favorite]


Best answer: Naked Security just released this likely explanation.
posted by gubenuj at 4:56 PM on August 31, 2012 [4 favorites]


"Woopsy!!" --Facebook
posted by rhizome at 5:39 PM on August 31, 2012 [1 favorite]


One of your foolish friends almost certainly installed a Facebook app that has full access to their contact list, or otherwise uploaded their whole address book to some shady third party service.
posted by thewalrus at 7:33 PM on September 1, 2012


From the article:

"The social network said it's since enhanced its scraping protections to protect against such attacks and will continue to investigate, but that there's been neither a mass compromise of Facebook accounts nor any leak of private information."

Not sure how sending emails to millions of people isn't a "mass compromise of Facebook accounts," but whatever.
posted by Melismata at 8:53 AM on September 5, 2012


Well, someone getting contact information about you isn't a compromise, but that's besides the point. The bigger issue is that they think everything leaked should be considered public information. "Private information" to them is likely defined simply as information that you haven't given them already.
posted by rhizome at 9:27 AM on September 5, 2012


« Older Overnight parking in the Outer Banks?   |   Help me be age-appropriate! Newer »
This thread is closed to new comments.


Tags

Share