Over the past two days I've gotten two spam emails whose From: lines contained the names of people I know, but with totally incorrect email addresses. Both contacts are Facebook friends of mine, but I've only conversed via email with one of them. Furthermore, neither person is actually in my email contact list. I'm using Apple's Mail 6.3 on OS X 10.8.3. My question is: whose account got compromised here? I'm wondering if it's my own, since the one purported sender doesn't even have my email address (that I'm aware of). And for that same reason, I'm wondering if the compromised account is my Facebook one rather than my email one.
asked Jun 2, 2013 at 18:23 echristopherson echristopherson 887 7 7 silver badges 20 20 bronze badgesIt's theirs probably, they have a virus that is sending out emails. The likeliest explanation is that the contact you think does not have your email simply does.
Commented Jun 2, 2013 at 18:24Change your password just in case. If you've got a yahoo account then definitely change your password!
Commented Jun 2, 2013 at 18:29Is your list of friends public? If so, there hasn’t necessarily been any compromise. If a miscreant got your email address somehow (maybe by guessing, maybe from some site where you post non-anonymously) and typed it into Facebook’s “find friends” text field, he will have learned your Facebook name, from which he can get your friends’ names (as known to Facebook). It’s then, of course, a simple matter to send you email where the textual part of the From name is one of your friends’ names. // But still, it seems like a good time to change your password.
Commented Jun 2, 2013 at 21:06Apparently it's due to a Facebook vulnerability that was discovered in August 2012, whereby spammers were able to scrape Facebook profiles to gather lists of people's friends and relatives (something called "spear-phishing", apparently). According to Facebook, "To be clear, there was neither a mass compromise of Facebook accounts nor any leak of private information."
But that still leaves me wondering how the spammers got my email address to send the spam to. My profile settings page did have a facebook.com email address plus my real one, but my real one was hidden from the timeline and available to friends only. A simple test seems to have demonstrated that the facebook.com email doesn't get automatically forwarded to my real one; so I wonder if the spam comes from one of my "friends."
EDIT: I forgot to put the links I got this information from.
answered Jun 2, 2013 at 19:04 echristopherson echristopherson 887 7 7 silver badges 20 20 bronze badgesI've also gotten many such emails - a rash came in yesterday, too. It is not the purported sender's email that was compromised. More likely your address was harvested somewhere along with lists of friends. The friends' names are used to trick you while the actual address is either some bait address or made-up. I just mark them as spam.