14

I witnessed an interesting attack today. Someone was able to register a new Facebook account with the email address of a friend of mine. We don't know how it happened, because Facebook requires you to click on a confirmation link to use an email address. Maybe the attacker got access to the mailbox somehow.

The interesting question for me is, why would someone do this? It is easy to create a free email address within minutes. Why does the attacker use the email address of someone else? It is no impersonation scenario, because the Facebook account has a totally different name than my friend. I cannot think of a reasonable scenario that makes stealing an email address for creating a Facebook account worth the effort. Am I missing something?

Update: First of all, no one from Facebook responded to our abuse message. Nevertheless the fake account was gone after several days - we have no idea if Facebook took active measures against this account or not.

I didn't think about the obvious counter measure against this fake account when the incident happened but this idea might be interesting to others facing a similar problem. If someone registers an account with your email address, there's nothing easier than resetting the password of this account and access/delete it - you are the owner of the email address bound to the account and the "lost password" function plays into your hands. I am not sure if this would be 100% legal though - depends on the question if the account is actually yours, if your email address is bound to it.

Demento
  • 7,249
  • 5
  • 36
  • 45
  • Please add the email headers to let people check whether the email is really from the Facebook servers. – Hendrik Brummermann Feb 25 '12 at 21:24
  • Thanks for the tip, I checked the headers myself already. The emails are really from Facebook and the account is really registered with the email address in question. You can search people by email on Facebook and the new "fake" account pops up when looking for the address. – Demento Feb 25 '12 at 21:42
  • 1
    This has happened to me twice. The first time, they deleted the account when I filed an abuse claim. I just put in the second request, so we'll see what happens. It is one of the few choices on this [abuse page](http://www.facebook.com/help/contact/?id=169486816475808) so they must be aware of the problem. My email address is (common last name) at gmail.com, so it could have just been a mistake, but I too am curious as to how they managed to activate the account without clicking on the link. –  Jan 07 '13 at 18:53
  • @Ben - Its very likely they have acccess to your email account. – Ramhound Jan 08 '13 at 14:04
  • I just noticed this happened to me as well. I was just going to sign up for a throw away facebook account for contest entry purposes and tried to sign up using an old dormant throw away email address I had from Hotmail, I found out it was in use. Rather strange since if they had access to my email they should have changed the email password to block my reclaiming it, but nothings changed. The facebook account changed its account password along with my emails for good measure. Strangely it was a Turkish account. The account was effectively unused, no friends no posts, no timeline. –  Dec 04 '13 at 15:32
  • I had this happened to me as well, I did exactly what the OP proposed in the last paragraph, requested a password reset, removed the account myself. – George Nov 16 '14 at 20:54
  • Could be using a dummy account for Facebook Ads. This way they could temporarily make you an 'admin' of one of their pages, create some advertisements on your account (*which you're billed for when the advertisement is over*), and then remove your 'dummy' account as admin (the ads will still be going). This way, once Facebook demands payment the scammer will be long-gone, and as it's your friend's email address, they will try and demand payment from them. Although Facebook will probably end-up deleting the account, the scammers will *still* have gained from free advertising. – AStopher Aug 10 '15 at 22:27
  • Some of the large email providers seem to have bugs aka gaping holes in their remote cluster synchronizations. GMail, I know for a fact, has given other users my friend's email addresses. They were early GMail adopters and they have common, short names. People signing up from the Phillipines or Australia seem to be able to get their names and use them for a while, until Google's systems resync. This could have happened here rather than a compromise of the email account. – Zan Lynx Mar 03 '16 at 11:35

3 Answers3

9

Two possible scenarios that pop into my mind:

  1. Since we can assume the attacker probably had access to his email, he probably had access to his address-book as well and he could have requested friendship (search for friends by email address) from all the people that had a facebook account registered to one of the email addresses from that address-book (some of those requests would succeed). Despite having a different name (lots of people don't use their real names on facebook), lots of people would accept the invite either blindly or since they would see they had friends in common (the ones that accepted blindly). After that, he would have access to additional data about all that other people, etc..

  2. He could just let the facebook account lay there and wait for someone else to find him by searching friends by email after which, he would again have access to additional data.

tkit
  • 3,272
  • 5
  • 28
  • 36
  • +1: Both interesting options. We will monitor how this develop. I am also interested how Facebook will handle the abuse-message from us. – Demento Feb 25 '12 at 21:44
  • Another point is in the preservation of the account. Your friend does all the work keeping the account alive and unsuspecting by logging in regularly and sending an average amount of mail. The attacker would otherwise need to create new accounts and ensure they were logged in and used regularly enough they weren't pruned by the mail provider. – deed02392 Feb 29 '12 at 12:35
  • 2
    I can't remember where, but someone posted a story about one of their facebook friends contacting them via chat, and asking for help (they got stuck somewhere and needed money urgently kind of story). The person could obviously recognize it didn't 'sound' like their friend so didn't fall for it, but these kind of scams are also a possibility. By creating a fb account with your friends email they might hope to scam your friend's friends (which might be you!) – Yoav Aner Mar 28 '12 at 09:00
  • here's [one example](http://redtape.msnbc.msn.com/_news/2011/09/27/7999343-i-thought-it-was-my-sister-woman-loses-2000-to-facebook-scam), and [another](http://techcrunch.com/2009/01/20/latest-facebook-scam-phishers-hit-up-friends-for-cash/) - not the one I had in mind, but similar principle. – Yoav Aner Mar 28 '12 at 09:08
3

He could have tried to spoof a login to another service that uses OpenID/Facebook Connect/Oauth. This assumes the service uses just the email address to identify the user.

KennyC
  • 409
  • 1
  • 3
  • 8
1

I would do that if I wanted to stay completely anonymous. Fake data or stolen data isn't yours, since you can't register without providing some data about yourself, try to use a fake or stolen email address.

Why would one want an anonymous facebook account?

  • Get RSS feeds
  • Express ideas and stay anonymous (free speech)
  • Cannot get punished by any government or company for what you say

It's just like anyone but you don't need/want to relate to your friends. Being judged by what you say and not by who you are, your race, nationality, etc.

If your friend doesn't need this address<->facebook account and that the thief doesn't impersonate him in any harmful way, I suggest you both let it be.

Aki
  • 762
  • 4
  • 14
  • 2
    why would you need to steal someones email to stay anonymous? :O just go and create a fresh free email account. – tkit Feb 26 '12 at 12:26
  • 1
    A new email address would be a lot easier to trace back than an email address with established contacts and is used regularly by a user. – cutrightjm Feb 27 '12 at 13:12
  • 1
    Yes. Besides, how would you create an email address? You are asked to provide some information and you should stay careful to what data you expose (your browser leaks data, your IP, etc) without knowing. It's kind of an issue, it's stealthier to use someone else's mail account. – Aki Feb 27 '12 at 14:05
  • 1
    you can always use a plain, simple vanilla browser, a proxy and not provide any real information... – tkit Feb 27 '12 at 19:41
  • We could debate this for hours, there are obviously a great number of possibilities. My answer just tried to explain why would one possibly want to use another's email to register a facebook account. Let's not get off topic here. – Aki Feb 27 '12 at 19:59