Is Facebook becoming Phishingbook?
A Colorado woman's experience this week — having her Facebook account hacked, and her friends e-mailed, supposedly by her with pleas for "help" and money — is not the first time such a scheme has happened. But the scam carries with it a sound of authenticity, unlike standard phishing, or identify theft, attempts: Within the gated world of Facebook, you "know" — or think you know — the person who's e-mailing you.
"At 7 o’clock in the morning, my phone was ringing off the hook, and I looked at it, and it was a friend of mine from another state," said Susie McLain, who lives about 20 miles outside of Denver. "She said, 'Are you ok?' I said, 'I’m absolutely fine; why?' She said that her husband had been contacted by the fake me saying that I had been mugged and stabbed in London, and that I was stuck there and needed money to get out, and that I was asking for $850 to be wired.
"And then I looked at my phone and I literally had like 15 text messages and two voice mail messages from friends of mine." All the messages were responses for help to "her" Facebook e-mail.
Facebook, the most popular social networking site in the United States, has had its share of security issues this year, as it continues to grow in popularity. Facebook says it now has more than 250 million "active" users worldwide, about 75 million of them in the U.S. The site's appeal is not lost on criminals who want to steal passwords and personal information that can aid in identity theft.
McLain, who has been on Facebook for about a year, got off the phone with her friend and tried to log into her Facebook account. She could not. She saw that her e-mail user name had been changed to a Yahoo account (which she does not have).
She e-mailed Facebook, using its "Report a possible security vulnerability" Web page and she e-mailed Yahoo to alert them to the fraudulent e-mail account.
"I got a form letter back from Yahoo saying, 'Thanks for alerting us, there's not a lot we can do, but we'll try,' " she said. "But it didn't say they were going to shut it down. For all I know, that account is still open with my name on it, which really bothers me."
'I changed everything'
She also tried calling Facebook, in vain dialing a Southern California corporate number for the site that yielded nothing except being able to leave a message with an operator. "I did that like five times, and I got no return call at all," she said.
She did hear from Facebook later that day, after a Denver TV station she contacted aired a report about her situation. Then she got an e-mail from Facebook spokesman Barry Schnitt, who had told the TV station the problem was part of a "low-volume attack" on a small number of users. In his e-mail to her Schnitt, she said, did apologize for the trouble and helped facilitate the reactivation of her Facebook account.
"It was called a low-level breach, but to me, it wasn't low-level," said McLain. "I have a lot of friends (on Facebook). I have my daughter on there, my daughter's friends.
"I'm really trying to decide whether I want to stay on Facebook," she said. "I took my birth date off. I changed everything. I didn't have a lot of information up anyway, but what little I had, I made it a lot more vague."
So far, she doesn't think the phisher got any money from her friends. "The person posing as me didn't use very good English," she said. "That was the first hint to my friends that something was wrong. And I hope the second thing was that they'd know if anything ever happened to me like that, I wouldn't get on Facebook to solve my problem."
Sounds sensible, but as we all know, it's amazing what personal information finds its way onto Facebook, sometimes enough of it to help a stranger shape a profile of you and pose as you.
Similar cases have cropped up
Msnbc.com "Red Tape" columnist Bob Sullivan wrote about a case similar to McLain's earlier this year, and noted that "Web criminals are getting much more personal in their attacks, using social networking sites and other databases to make their story lines much more believable."
The phishing scam seems to be making its way around Facebook, not only in the United States but in other countries as well.
Australian Elias Bizannes, a finance manager, wrote about his experience on his blog earlier this year.
"I've received spam messages through Facebook, but never this before," he wrote. "A friend who I've barely spoken to since 2003 (we used to work together) sent me a Facebook IM (instant message) and we had a long discussion. She apparently needed me to urgently send her $600 as she was held up at gunpoint and lost everything.
"I am an experienced traveler so could sympathise with the situation but was fully aware of how con men operate as I've been done over before — and I could easily see someone falling for it."
Philippine Web developer John Raul Joven II thinks a friend's account on Facebook was hacked and that's why he was approached last spring via an instant messaging program by that "friend," requesting help and money. It was somewhat believable, he wrote on his blog, because the friend does live in another country.
"It felt so real because this friend of mine is a very close one and I couldn't help to worry," he wrote on his blog.
Practice safe social networking
Facebook did not respond to a query about the McLain case and others that involve such e-mails from "friends." But Facebook repeatedly has urged its members to practice safe social networking, with advice offered on its security page.
Among the suggestions:
- Make sure you have the most current version of Web browsers, such as Firefox and Internet Explorer, "as they contain important security warnings and protection features."
- "Be sure to use a different password than you use for other sites or services, made up of a complex string of numbers, letters, and punctuation marks that is at least six characters in length. Do not use words found in the dictionary."
- "If your computer has been infected with a virus or with malware (malicious software), you will need to run anti-virus software to remove harmful programs and keep your information secure."
- "To prevent your account information from being obtained in a phishing scheme, only log in to legitimate pages of the Web sites you have an account with. For example, 'www.facebook.example.com' is not a legitimate Facebook page on the 'www.facebook.com' domain, but 'www.facebook.com/example' is a legitimate Facebook page because it has the 'facebook.com' domain. When in doubt, you can always just type in 'facebook.com' into your (Web) browser to return to the legitimate Facebook site."
Security firm Sophos also has helpful recommendations about Facebook security and privacy tips.
On Tuesday, Facebook posted this information about yet another new scam: "We've received reports of e-mails claiming to be from Facebook with attachments that ask for financial information. These e-mails are fake and should be disregarded.
"Always be suspicious of strange e-mails, even if they appear to come from a legitimate address, and don't open attachments you don't trust."