Facebook Leak Leads To Smishing

I have always considered myself pretty lucky in that I rarely receive fraudulent text messages. That luck recently ran out. Over the past few weeks I have noticed an uptick in the number of SMS phishing (smishing) messages that I receive on my phone. A few days ago, the smishing seemed to become even more frequent. If you’re not familiar with smishing, you can learn more in this Between The Hacks blog.

Interestingly, most of the fraudulent text messages that I received were using a name that I only use on Facebook, which of course leads me to believe that the attackers got the cell phone number from Facebook.

Below I have shared a few examples. In the images, I have removed my “Facebook name”, and even though the URLs are no longer active, I removed the last character from each of them, just in case. Unfortunately, I did not get a screenshot of the web pages associated with these links before they expired, but I recall that one of the Amazon links was a very convincing replica of the Amazon website and the USPS link pointed to a fraudulent DHL website which was also convincing to someone who isn’t paying close attention.



Facebook Phone Number Leak

So how did they get my name and phone number from Facebook? It likely came from a 2019 Facebook breach. Facebook has since fixed the vulnerability that allowed for the breach, but data has a way of living forever on the Internet and this past weekend, that trove of data made headlines again. BleepingComputer reports, “The mobile phone numbers and other personal information for approximately 533 million Facebook users worldwide has been leaked on a popular hacker forum for free”

The data was first placed for sale in June of 2020 and as the data set became older, the price was reduced many times until this weekend when it was basically available for free. The sold data included 533,313,128 Facebook users, with information such as a member’s mobile number, Facebook ID, name, gender, location, relationship status, occupation, date of birth, and email addresses.

A sample of USA records showing the redacted mobile numbers starting with New York’s 917 mobile area code. Image by BleepingComputer

BleepingComputer also reported that, “Included in the data leak are the phone numbers for three of Facebook’s founders – Mark Zuckerberg, Chris Hughes, and Dustin Moskovitz, which are the 4th, 5th, and 6th members first registered on Facebook.”.

Facebook founders included in the data leak. Image by BleepingComputer

What Can You Do?

While there is no way of knowing for sure if this sudden increase in SMS phishing messages is a result of the recent Facebook leak, (correlation does not imply causation) the timing and the use of my “Facebook-only” name have me leaning toward that conclusion. Regardless of the actual cause, this is a good time to remember that much of our “personal” data is not as personal as we might think. Criminal hackers, identity thieves and social engineers look for this type of data to target us. CNN interviewed Rachel Tobac, an ethical hacker and CEO of SocialProof Security. Tobac stated, “These are the pieces of data cyber criminals spend time searching for to perform social engineering attacks (a type of hacking) — but now they’re all in one place and easily accessible in this leak, which makes social engineering quicker and easier.” Assume that threat actors have your name, cell phone number, birth date, and other personal information and will use that data to try and trick you into revealing sensitive information or making payments to fraudulent sites.

Here are ten things that you an do.

Be alert!

Check your security and privacy settings in Facebook and other social media sites.

Download a copy of your data from Facebook and review.

Learn more about criminal tactics like phishing, smishing, vishing, pharming and Business Email Compromise (BEC).

Look at EVERY text message, email, and social media communication with a skeptical eye.

Don’t respond to messages from phone numbers or accounts you are not familiar with.

Check the phone number or code that sent the message. If it’s not familiar, look it up online and see if there are other reports of spam or smishing coming from that number.

Often, a “smishing” message will come from a “5000” number instead of displaying an actual phone number. This usually indicates the text message was sent via email to the cell phone, and not sent from another cell phone” shares, Intuit.

If you’re not expecting a message, be very cautious. If you place an order for food delivery and are instantly sent a text message with a link to check the status, it’s likely safe. If you receive a similar text message and did not place an order, be very cautious and log into the app or website directly to verify the order.

If you’ve become the target of a smishing attack, HowToGeek recommends blocking the number immediately. iPhone and Android users both have access to built-in spam-blocking tools that should help cut down on the number of fake messages.

UPDATE: Check your phone number and email address on (HIBP) to see if has been included in a data breach. According to the HIBP Twitter account, HIBP has added the Facebook phone numbers and email addresses to their database.

Get free tips and resources right in your inbox, along with 10,000+ others