Off topic: Facebook Social Engineering?

I’m not a member of Facebook. I was recently invited to join by email from a man I don’t know. His subject for the email was “Check out my photos on Facebook.” The stranger included inside his email pictures of eight individuals and one couple. Of the 10 people, 2 are college classmates, one was a member of a class I taught, one is a relation of my late wife’s, one was her best friend, one is a local vendor, and the couple are neighbors. Two I didn’t recognize.

The common link appears to be me (probably my home email account), but I don’t know the sender, and neither did my college classmates nor my wife’s cousin. Appealing to the collective DDoE wisdom, how might the connection have been made? And how concerned need I be about this social engineering?

And though I’ve otherwise thought about it, I’ve not joined up.

…mrt

Posted in Uncategorized

4 thoughts on “Off topic: Facebook Social Engineering?

  1. I have often suspected that, while you may not have applied any Facebook style interrogation of your various inboxes, that others may have. And if enough random people are able to create links to you then at some point the critical mass of links establishes potential connections to you. Perhaps your email was part of one bizarre group post from a friend of yours with a picture of say a very cute smiling cat to other friends of his/hers. Now you could be loosely connected to that group of people, where just one recipient once received an email in which you were one of the many recipients. Thankfully this rarely happens as most of us aren’t stupid enough to run a program against our entire inbox, but imagine if one of your emails which is not the one that has received the invite is tagged as a close match to your name and your relationships perhaps you could even be linked to a person via your old email address that you no longer use that isn’t even active which your aunt still tried to use to send you smiling cats. And please say “Hi” next time you see the imaginary Aunt I concocted for you.

    While I can’t prove that this is what happened I to am not a member of Facebook but I can only imagine this is the only way that arbitrary people can make the connection.

  2. Michael, this is very much a stab in the dark, but here goes anyway. Peering back into the murky depths of my pre-Facebook existence (and even I resisted for a long time), I seem to recall that I received email invitations (friend requests) from Facebook on behalf of a number of people, some of whom I know for certain didn’t have my email address.

    I’m sure that a few of the people who did have my email address probably used the ‘import address book’ feature to look for me (amongst others), thereby ‘giving’ Facebook my email address. If Facebook has some sort of ‘placeholder’ system which attaches your email address to a profile shell, maybe that’s how this mystery person was able to use Facebook to contact you directly via email.

    Photos are another interesting feature of Facebook – I’m pretty sure there have been times when my face has been ‘tagged’ on a photo uploaded by someone I don’t know. However, all it takes is for one of the people who does know you to tag your face on someone else’s photo, and you’ll be sent a notification.

    I’ve never found much useful information on the way Facebook uses personal and contact information to track people within it’s own confines, and outside in the greater www – they don’t seem big on sharing that. However, there are now so many people using Facebook, that I’d imagine the only way to keep your name and photo off there altogether would be to have lived a monastic existence in a cave for the past twenty years or so, shortly after destroying all documentary and photographic evidence of yourself…

  3. Michael,

    Good questions all. I’m trying to track down something similar.

    In my case, there are three interesting coincidences. I received three emails from my elderly Father, who claims he didn’t do anything to generate the mail. To some extent, I believe him, but I’m not through interrogating him, er, I mean, talking to him about this yet. Here are the three coincidences:

    1. The mail is truly from Facebook. I’ve verified the path the mail took through the Facebook network, and the links in the mail are all valid facebook links.
    2. The three addresses that I received email from are all in his Mac address book, on my card. They are not addresses that he’s ever used to send mail to me.
    3. Exporting the Vcards from the Address Book application to feed to FB is way beyond his capabilities. I haven’t been able to find any information on functionality in Facebook that automatically will do this. He doesn’t use a mobile phone (not one with the address book, anyway); his email is hosted on a domain I control (so it’s not like he could give an AOL or Yahoo email credential to their “Friend Finder”), and I also haven’t heard of Mac-based malware that mines Address Book.

    So, I’m puzzled. I am thinking that he either inadvertently used a Facebook Platform Application that did this, or used some other application that uploaded his address book information to an online application, or Facebook has added functionality to their site that isn’t documented.

    To answer your question: I think the only real exposure here (assuming you received the same type of email that I did) is that Facebook now has your email address. I’m particularly P.O.’d about this because I have addresses that have remained remarkably spam-free because I don’t ever share them with commercial entities, which were naturally the ones in my father’s address book (including one that went to my phone, sigh).

  4. jfj33 and KMP –

    Thanks. Looks like there’s a way on Facebook, I’m told, to provide/upload address books. And that’s how my email got there, presumably much as KMP describes.

    My inbox survives, so I think I’m OK. Still haven’t joined.

    …mrt

Leave a Reply

Your email address will not be published. Required fields are marked *