X

Spam from 'friends' is actually result of Facebook hole

Facebook has fixed the problem and says spammers are using friend lists they scraped before the fix to send new e-mails.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Are you getting spam that has a Facebook friend's name listed as sender but was actually sent from an unknown e-mail address? Me too.

These are vestiges of an attack that exploited a misconfiguration on Facebook that was fixed last week, according to Facebook. Though spammers aren't scraping any new friend information off Facebook accounts, they are apparently using previously obtained data to send spam. That means the messages could come until e-mail providers are able to find the source of the spam and shut the spammers down.

Here's the Facebook statement:

Recently, we discovered a single isolated campaign that was using compromised e-mail accounts to gain information scraped from Friend Lists due to a temporary misconfiguration on our site. We have since enhanced our scraping protections to protect against this and other similar attacks and will continue to investigate this case further. To be clear, there was neither a mass compromise of Facebook accounts nor any leak of private information.

To help protect our users, we've built enforcement mechanisms to quickly shut down malicious Pages, accounts, and applications that attempt to spread spam by deceiving users or by exploiting several well-known browser vulnerabilities. We have also enrolled those impacted by spam through checkpoints so they can remediate their accounts and learn how to better protect themselves while on Facebook.

Beyond these protections, we've put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defenses to find new ways to protect people. In addition to the engineering teams that build tools to block spam we also have a dedicated enforcement team that seeks to identify those responsible for spam and works with our legal team to ensure appropriate consequences follow.

I hope the spam stops soon because not everyone will notice that the e-mail didn't come from a friend, and some people might actually click the link that is in the body of the message.