A "bogus-looking" Yahoo Philippines email may be used in a new wave of phishing attacks targeting Facebook users, according to a report on Forbes.com.
Forbes said Facebook has discovered a "single isolated campaign" using compromised email accounts to gain information taken from Friend Lists.
"(We have) discovered a single isolated campaign that was using compromised email accounts to gain information scraped from Friend Lists due to a temporary misconfiguration on our site," Forbes quoted Facebook
as saying in a statement released to it.
It said the new attack poses as users' friends and family to trick them into clicking on potentially dangerous links.
Forbes said Facebook has since enhanced its scraping protectins to thwart similar tricks.
"To be clear, there was neither a mass compromise of Facebook accounts nor any leak of private information," it quoted Facebook as saying.
The Forbes report said the new spear-phishing campaign makes the email appear to come from a close friend or family member, and address the victim by name in the subject line or body of the message.
It also includes a link to a website controlled by the spammers.
"They exploit the fact that you’re more likely to click on strange links if they’re sent by a trusted friend," Forbes said.
Forbes.com staff David Ewalt, who wrote the report, said he received two such spear-phishing messages last week at his personal email address he registered with his Facebook account.
"In both cases, the sender appeared to be someone I interact with on Facebook, and the subject line was personalized ('for David'). But when I checked the email’s header fields, I saw that while my friend’s name was in the 'From:' field, the originating address wasn’t their usual account; instead, it was a bogus-looking Yahoo! Philippines email," he said.
Forbes also quoted Johannes Ullrich, chief research officer for the SANS Institute, as saying the number of spam attacks using data collected from social networks has ramped up in recent weeks.
“Automating these attacks is easier then before ... Having millions of users connected to the same [programming interface] creates a rather easy opportunity to harvest this information. The process is also aided by Facebook’s confusing privacy settings. They have improved, but still many users don’t realize what they share and who they share with,” Ullrich said.
Facebook recommended that users take the following steps:
Review security settings and consider enabling login notifications.
Don’t click on strange links, even if they’re from friends, and notify the person if you see something suspicious.
Don’t accept on friend requests from unknown parties.
Report scams so they can be taken down.
Don’t download apps you are not certain about.
When accessing Facebook from places like hotels and airports, text 'otp' to 32665 to receive a one-time password to your account.