Spear Phishing using Facebook activity

Spear phishing is an extremely potent hacking vector that combines social engineering with phishing. Basically, an attacker tries to learn enough about a specific victim to inform the design of a fake email that the victim is more likely to think is legitimate and thus open and engage with. For a detailed example of spear phishing in action, see this account of how the Onion’s Twitter account was hacked.

Standard phishing is generally thought of as a brute force attack in which the attacker crafts fake emails meant to fool the broadest set of people possible (e.g., you’re much more likely to see a phishing email claiming to be from a large national bank, like Chase or Bank of America, than a small regional bank). Whereas spear phishing has conventionally been viewed as a more bespoke approach that is targeted at a specific individual or organization. So the current conventional wisdom is that normal phishing attacks are relatively easy to spot, and only relatively sophisticated attackers going after high-value targets, like access to government or corporate systems, use spear phishing. But what if that’s changing?

Over the last several months, I have been the target of what might be a new, more scalable, approach to spear phishing. I have been receiving phishing emails that are sent using the names of people I know but not their email addresses (see below).

I was at first confused at how the attackers were coming up with these names. My first fear was that they had hacked my email account and thus had access to my address book, but I have 2-step verification enabled and I didn’t see any suspicious access in the Last account activity.

Then as I was looking through my spam folder this week, I noticed a pattern: the names being used were all people who had recently commented on my Facebook posts. This is just a hypothesis and there’s a lot I still don’t understand about the attack, like how they associated my email address with my Facebook profile, how they are scraping the comments on my Facebook posts, and most of all why they would target me.

But if in fact they are scraping Facebook activity to come up with the names to use as senders, this opens up a much more scalable (and thus dangerous) vector for spear phishing. I’m very curious to hear if anyone else has experienced similar attacks and/or has any other information to add.