New Trojan involving Facebook Invitation?

Discussion in 'malware problems & news' started by wutheringheights, Jan 25, 2010.

Thread Status:
Not open for further replies.
  1. wutheringheights

    wutheringheights Registered Member

    Joined:
    Jan 25, 2010
    Posts:
    16
    Hi folks!

    Recently I was spammed several times by a hotel chain in the Canary Islands. I don't know how they came up with my more private email address. They basically sent pix and text and I think a link to their site, encouraging me to stay at their hotel. This happened about three times. I think once I might have clicked on the pix. My email client is Thunderbird and it automatically blocks pix unless I click. There was the usual European unsubscribe link, which I availed myself of before deleting the emails.

    Then a few days ago I got an invitation from Facebook (!) to join Facebook. The invitation had a very unusual name of person responsible for the invitation--random characters galore--but the thing was very clearly connected to the Hotels in the Canary Islands that spammed me. I have kept this communication from Facebook in a separate folder while I figure out what to do.

    Update: I should have pointed out that the Facebook invitation, which might be fake, had the remote content (not pix) blocked by Thunderbird. That might have saved me from bad things happening.

    The strange thing about this invitation is that the invitation listed three persons who were in my email directory who are on Facebook as being persons of potential interest to me. The final person of potential interest was a member of management of the Hotels, but I had never had any email communication with him, or the hotels (outside of the unsubscribe), so I don't how or why he would have been included. A bit like shooting your own foot, it seems to me. I had until that point never logged on to or registered with Facebook, so Facebook couldn't have got these things from my own interaction with it. I later logged on to Facebook and saw that there is a facility for Facebook to identify members of Facebook in your Thunderbird directory. But I have never availed myself of this service.

    I tried to contact Facebook, but all I could find was a 'block this page' link at the page of the hotel chain, which I used and which didn't seem to do anything--i.e. Facebook didn't seem to act on my message.

    I scanned the computer after all of this with Spybot and Malwarebytes and came up clean. I had done a complete system installation onto a new hard disk only about 2 months before. Something tells me that this was after the email invitations to stay at the hotels so the problem would have to do with the reloaded email files or else with a upload of information from a Trojan prior to the system installation. I then scanned the most significant partitions (system and the partitions of high volatility especially all the email files) with Avast (a full scan takes hours so I left some low-volatility partitions) and nothing was found. I contacted Avast and have yet heard nothing.

    The problem of course is how these people generated the Facebook invitation using names from my Thunderbird email directory--and why they went to this trouble. Surely not to get me to stay in their hotel.

    Anyone have any information on what this is all about and how to pursue this?

    Thanks a lot.

    wutheringheights
     
    Last edited: Jan 25, 2010
  2. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    If you feel that you are the victim of Identity Theft, call your local Police Immediately !

    Steps you can take if you are the victim of Identity Theft

    Advise Facebook of a hacked or phished account.

    Best of luck.
     
  3. wutheringheights

    wutheringheights Registered Member

    Joined:
    Jan 25, 2010
    Posts:
    16
    Thanks Siljaline.

    This issue does not seem to be identity theft. At least I don't think they got anything.

    I did follow up on your Facebook link finding the 'false email from Facebook' form and submitting some information to Facebook under that.

    I appear to have been lucky in that Thunderbird automatically blocked remote content. If I understand how these things work, the malice would have been in the remote content. However looking at the email, there is a specific link to merge my email account to my already-existing Facebook account (if I have one), and a link to register on Facebook, which of course I didn't click.

    The issue is how whoever created the email (whether through Facebook facilities or no) managed to match persons on my Thunderbird email directory to the membership lists of Facebook, so as to produce a plausible list of people known to me who were on Facebook so to get me to join Facebook--or at least to click on some link that I would have thought was getting me to join Facebook.
     
  4. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    You are welcome, I provided as much information based on what you described as to what your issues were.
    Keep us posted if there is any further abnormal activity with email, accounts, Facebook, etc.
    Clicking on unknown links in HTML email can expose you to many risks. You might consider configuring Thurderbird to view as email in plain text.
    As long as Facebook has been made officially aware of this, they need to know of every breach possible.
     
  5. wutheringheights

    wutheringheights Registered Member

    Joined:
    Jan 25, 2010
    Posts:
    16
    A little more information. Spybot took a look and didn't find anything (i.e. they had me upload some reports and a binary).

    I looked at the original Facebook invitation in text format and did Arin lookups on a couple of the IP's. They actually belong to Facebook.

    I took a sample of email addresses of persons in my email directory other than those listed on the Invitation and having logged onto Facebook tried to see if they were on Facebook. A number were, more than were on the invitation. This says that there wasn't a simple mechanical procedure that scanned my email directory and then matched that directory to Facebook--something else, perhaps a little more complicated, happened.

    Is it permitted to post the Facebook invitation here in text format--having removed some personal information?

    Thanks.

    wutheringheights
     
  6. pbw3

    pbw3 Registered Member

    Joined:
    Nov 12, 2007
    Posts:
    113
    Location:
    UK
    Just a thought..

    If other people have allowed their e-mail directories to be scanned, Facebook may simply have collected your e-mail address from these other people (ie, rather than from your e-mail directory). At this point, Facebook are free to spam you because of what information (ie your e-mail address etc) that others have inadvertently provided..

    Perhaps check with the three contacts that came up as potential invites to see if any availed themselves of the "service" (!) to see if there are other Facebook members in their e-mail directories (or perhaps the hotel contact did). If yes, in my view, this points to what I would describe as rogue practice by Facebook.

    If you were then to allow Facebook to scan your e-mail directory, your e-mail contacts might also get spammed..!!

    This is interesting, as I get spam from Facebook all the time, but like all spam I simply never open any of it.. I shall check some of these in future to see, if they are genuinely from Facebook, whether names that I know come up on any potential invites - at which point I can tell these people / friends (!) that they are complete "muppets" for allowing their e-mail directories to be scanned, hence, enabling their friends to be spammed like that..!!

    I'm only speculating, but if this is the case, seems like good reason not to touch organisations like Facebook with a barge pole...
     
  7. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    784
    Location:
    UK
    Aye that happened to me,-- that is my nephew joined a facebook type of website and within a couple of days everybody in his address book was being 'invited' to join via spam mails.
    It looks like they got your e mail address from someone who joined and has your name in their address book. It's careless really, needless to say I had some choice words for my nephew.

    Gordon
     
  8. wutheringheights

    wutheringheights Registered Member

    Joined:
    Jan 25, 2010
    Posts:
    16
    Thanks pbw3.

    Pbw3, I was in fact just logging on to Wilders to post something along the lines that you describe. I had thought about this issue considerably and it ultimately occurred to me that a likely theory would be just as you describe. I then wrote to one of the four people (three of whom I know; one of whom unknown) who were listed on the invitation to ask him if he had done an email scan. He wrote back rather upset that he had not invited me to join Facebook although he had done a Facebook email scan. My reply:

    "Sam", let me address a serious question immediately. I know you didn't send me an invitation. I quite agree on that point. What I am saying, and what you have confirmed almost 100%, is that when Facebook does an email scan such as you did on your own emails, it doesn't throw ANYTHING away. So when someone does do an invitation--in my case it was the unknown employee of a hotel chain in the Canary Islands that was seeking my custom--Facebook checks if the email address of the invitee (or target) is in its database and if it is, it brings up the names of the people on Facebook who did do Facebook email scans that showed that the target was their correspondent. Hence, when the hotel employee did issue the invitation to me, Facebook scanned its own database for my email address and found that there were four people who had had that email address in their email directory when Facebook scanned their email accounts. It then added those four Facebook people to the invitation as people who are on Facebook who might be of interest to me. The fourth name was a manager of the hotel chain, and the fact that his email account had my email address would suggest that he was the origin of the spam from the hotel that I had received prior to receiving the Facebook invitation. In any event I don't remember ever having corresponded with him, and I have no idea how the hotel or he would have come across my email address. The invasion of privacy arises not from you but from Facebook's method of scanning peoples' email accounts and/or directories, archiving ALL the data from the scan and then using the data to encourage (manipulate?) people to join Facebook. The only thing I could say to you is that the fact that Facebook does that kind of thing would be to me a good reason to cut off all contact with it. But that is your choice. Let me assure you once again that you are innocent in the matter, the victim of what I consider to be sharp practices on the part of Facebook.​

    Facebook must have an incredible amount of social networking data. Who uses this data? Who has hacked this data?

    I think that it would be good to hear from Facebook on this matter.

    Wuthering Heights

    PS to GHodgson: I don't know about other Social Networking sites, but Facebook, at least with me, seems to have refrained from spamming me on the basis of other peoples' email scans to join Facebook. In the present case, as near as I can make out (since the role of the hotel chain in the Canaries is a joker in the deck), Facebook merely waited for someone to issue me an invitation, and then automatically listed on the invitation those people who were on Facebook and who had done Facebook email scans and who had me as their correspondent. For there are a number of my correspondents who are on Facebook who play no role in this matter--I presume that they have been sensible enough not to request Facebook email scans.
     
    Last edited: Jan 30, 2010
  9. wutheringheights

    wutheringheights Registered Member

    Joined:
    Jan 25, 2010
    Posts:
    16
    Here's what http://epic.org/privacy/facebook/ (whoever they are) has to say about this issue:

    Contact Importer

    Facebook users are invited by Facebook to "[f]ind out which of your email contacts are on Facebook." Facebook asks users for their email address and password for many of the major providers of webmail services (Yahoo, Hotmail, Gmail, etc...). Facebook then logs on to the account, and downloads all the contacts there. Facebook can also import email contacts from applications such as Outlook and Thunderbird. Users are then shown a list of which individuals are current Facebook members, and have the choice of sending friend requests to each of them. The screen comes with all the contacts pre-selected. The user is then given the option of inviting all of their other contacts to join Facebook. Again, all of the contacts are pre-selected. The default behavior is to send messages to all of one's contacts inviting them to become friends on Facebook.

    [image not transferred]
    Example of the contact importer.

    Facebook promises not to retain the user's password and login. Facebook does not explain what happens to the emails collected, or to the association of those emails as "contacts" of a given user. The email addresses can be of significant value. As known contacts of a real person, a person knows that that email address is "live" and thus valuable to email harvesters.​

    There's a lot of other information on the site at the URL given about other aspects of Facebook.

    It does seem like GHodgson was correct in that the default is for Facebook to generate invitations to everyone in your email directory who is not on Facebook.

    It seems that Facebook's policy constitutes an invasion of my privacy.
     
  10. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Wuthering, I got done the same way with emails being sent to a private address only a few people knew about.

    One of these people must have 'participated' in some sort of facebook plugin, or contact list download.

    I then started to receive communications from other people, via facebook, inviting me to join, and so on. Obviously automatically generated by facebook.

    Bottom line, if anyone you've sent emails to from your private email address is on facebook, then your email address isn't so private.
     
  11. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    Not directly related to the original topic post but....:)


    I am a registered member of FaceBook, but doing a search of my name in Google will not reveal anything. That is the way I set up my privacy settings in Facebook.

    Since December I had an email from FaceBook to change the settings. I was supposed to click on 'whatever' and follow their new procedures as to setting the privacy settings.

    Because I knew my Facebook account was locked down tight, I did
    not do what they wanted.

    Now, just the other day they (Facebook), have sent me another email inviting me to log in and customize my settings. They advise that the tutorial won't be available much longer...and I say 'who cares'.

    If I fail to respond, will my Facebook information, i.e.that I am a member, become public in Google? I don't think so!


    So Facebook can go jump!...

    Edit: I can spell...;)
     
    Last edited: Jan 30, 2010
  12. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    784
    Location:
    UK
    Saraceno........

    I think this is a problem that social networking site users dont realise. As a lot of them will not be security conscious orientated, --and will post onsite targetable info about themselves but also inadvertently put other third parties privacy/e mail addresses at risk,-- who dont want anything to do with these websites--such as myself.


    Gordon
     
  13. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    For facebook, I created an email address I'll never log back into. The info page, no email address, and the profile is private from public viewing. Come to think of it, I really hate facebook, the word, and everything to do with it - that's why I log on once a month.

    Anyway, what I've noticed, many people have 'public' profiles, where you don't even have to 'add them as a friend' to view their info, their wall, their friends list, and their photos.

    Now going by the info page alone, where people have their hotmail address in the open on a public page, these people could easily be spammed with phishing emails, saying 'see who removed you on facebook', and 'just log in'. Or, 'see who removed you on MSN', or 'see who's wanting you to join bebo'.

    These people are being taken to a login page, which looks legitimate, their curiosity gets the better of them, as they probably can't sleep at night without knowing (the knobs they are), and they log in to these sites, where they give full access to another unknown person.

    You on the other hand, are now on the 'hit list', receiving the same emails above, all for just sending/receiving an email to this friend (who has a public profile, lists their email address in their info, and falls for phishing/scam emails and so on).

    I won't even touch on msn, that is out of hand. The automatic replies from people saying 'hey, I've lost weight recently, you should get these acai berries I've bought, makes all the difference. Just click on this link'. The person logs on later and has no idea their account is being used to promote all sorts of scams.
     
  14. quintile

    quintile Registered Member

    Joined:
    Apr 26, 2008
    Posts:
    138
    Exactly why (though I otherwise think very highly of my family :D)
    I have gmail JUST for my family.
    They are a 'highly clickable', chain letter sending, downloading any 3rd party link, social networking bunch..

    Yeah, I have explained all the ramifications of such, asked them to not send all that to me, their answer to me ~
    "But we put on a FW/AV!!?" :doubt:

    Needless to say, any business/private email addy's stay outta my family's heavy clicking hands.. :D

    Anyone else have a better suggestion for family, tell me, tired of deleting...:p
     
  15. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    It's a tough one. I'd recommend them to remove any email listings in facebook.

    Also get them to setup a secondary email address used for 'promotional' offers (or you could set this up for them, give them the password - all can use one account if need be). For example, say janesmith at gmail is the personal email for your mum, js202020 at gmail might be her junk secondary email she uses only for non-family emails. Make sure the junk email doesn't have any personal name in the full email, or in the 'enter name/signature' field, so outgoing emails won't be personally linked to her. eg. emails sent back to her won't be able to address her by her full name. Her name could be 'Jane S' and email js202020 at gmail.

    That way she can use that junk email to fill in marketing forms, feedback forms and so on. And the chance of her personal email being scammed by phishing emails saying 'click here' will be less likely.
     
  16. wutheringheights

    wutheringheights Registered Member

    Joined:
    Jan 25, 2010
    Posts:
    16
    It seems to me that the most serious aspect of Facebook is that the Facebook collection of email contacts allows it to create a database containing vast social networking information, some of which is both unknown and unauthorized by the people who are being databased.

    An article from a more intellectual point of view, written as a book review, can be found here:

    http://www.nybooks.com/articles/23651

    This unfortunately does not cover this issue, but certainly gives some important background on social networking sites and what they can and cannot do.

    If we look at the Aurora exploit, the collection of social networking data for the target was an integral part of the attack. Hence, we might assume that Aurora class hackers would want to hack into Facebook or otherwise obtain its networking data for their targets.

    It might be remarked that in the Aurora exploit, it was said that the only thing that the hackers got out of gmail when they went in through Google own computers were the headers for the email accounts they hacked. But once they had that networking data for their targets that gave them the targets' correspondents, they would have been able to go after the 'home computers' of those correspondents. That way they certainly would have been able to flesh out their knowledge of what the original targets were sending and receiving by way of email.

    This is not innocent stuff.

    wuthering
     
Loading...
Thread Status:
Not open for further replies.