Using social networks to harvest email addresses

Social networking is one of the most popular Internet activities with millions of members from around the world. However, users are unaware of the privacy risks involved. Even if they protect their private information, their name is enough to be used for malicious purposes. In this paper we demonstrate and evaluate how names extracted from social networks can be used to harvest email addresses as a first step for personalized phishing campaigns. Our blind harvesting technique uses names collected from the Facebook and Twitter networks as query terms for the Google search engine, and was able to harvest almost 9 million unique email addresses. We compare our technique with other harvesting methodologies, such as crawling the World Wide Web and dictionary attacks, and show that our approach is more scalable and efficient than the other techniques. We also present three targeted harvesting, techniques that aim to collect email addresses coupled with personal information for the creation of personalized phishing emails. By using information available in Twitter to narrow down the search space and, by utilizing the Facebook email search functionality, we are able to successfully map 43.4% of the user profiles to their actual email address. Furthermore, we harvest profiles from Google Buzz, 40% of whom provide a direct mapping to valid Gmail addresses.

[1]  Cecilia Mascolo,et al.  Temporal distance metrics for social network analysis , 2009, WOSN '09.

[2]  Arthur M. Keller,et al.  Understanding How Spammers Steal Your E-Mail Address: An Analysis of the First Six Months of Data from Project Honey Pot , 2005, CEAS.

[3]  Leyla Bilge,et al.  All your contacts are belong to us: automated identity theft attacks on social networks , 2009, WWW '09.

[4]  Craig A. Shue,et al.  Spamology: A Study of Spam Origins , 2009 .

[5]  George A. Miller,et al.  WordNet: A Lexical Database for English , 1995, HLT.

[6]  Alessandro Acquisti,et al.  Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook , 2006, Privacy Enhancing Technologies.

[7]  Andrew D Smith NIGERIAN SCAM E-MAILS AND THE CHARMS OF CAPITAL , 2009 .

[8]  Lei Li,et al.  Inferring privacy information via social relations , 2008, 2008 IEEE 24th International Conference on Data Engineering Workshop.

[9]  Krishna P. Gummadi,et al.  On the evolution of user interaction in Facebook , 2009, WOSN '09.

[10]  Chris Kanich,et al.  On the Spam Campaign Trail , 2008, LEET.

[11]  Alessandro Acquisti,et al.  Information revelation and privacy in online social networks , 2005, WPES '05.

[12]  Geoff Hulten,et al.  Spamming botnets: signatures and characteristics , 2008, SIGCOMM '08.

[13]  Balachander Krishnamurthy,et al.  A few chirps about twitter , 2008, WOSN '08.

[14]  Balachander Krishnamurthy,et al.  On the leakage of personally identifiable information via online social networks , 2009, CCRV.