November 21st, 2012

Spam Supposedly from Facebook Friends

As mysteries go this was small change, but I stumbled across its solution earlier today: spam nominally from Facebook friends. I've been getting a recognizable species of link spam every day or two for a couple of months now. The From: field always contains the name of someone I know. The From: email address, however, is unknown to me and does not belong to the person named. The Subject: field is short and nondescript, like "Hello". The body of message is brief and follows this form:

super http://spammityspam.spam/goosebrow/53zappovat/

11/21/2012 10:33:27 AM

The From: email address is always a gobbledegook address from a big email service like Hotmail or AOL. There may be two or three words before the link, but no more than that. The link destination is different every time. I don't know, don't care, and don't intend to find out what's at the other end of the links.

I first assumed that someone I knew had gotten his or her address book hijacked by a trojan, which has long been a common practice when a machine is hacked. The interesting thing was that many of the people didn't know one another at all. (I asked a few of them.) My next thought was that my own address book had been hijacked, except that two other people (out of eight or nine spams that I had tucked away to examine) were folks for whom I did not have and never had an email address. It took awhile for me to realize that the only common element was their presence in my Facebook friends list.


I sniffed around and found a nice description of the problem on CNET. In short, there was a Facebook vulnerability that allowed a scraper to lift the names (but not the email addresses, nor any private information) from my facebook friends list. Facebook has fixed the vulnerability, or claims to have fixed it. Facebook being Facebook, however, I'm sure there are plenty of others down there in the morass.

Given that over half of the posts in a recent sample of my friends feed today were idiotic or hate-filled images (many images consisting solely of words, which is idiocy cubed, and sometimes words too small to read, which is idiocy to the seventeenth power) I wonder sometimes why I bother.