Facebook Friends Lead to Big Money Scams

Written by Paul Cunningham on September 9, 2009

1185031_62782295The Sydney Morning Herald reports that a South Australian woman became a victim of identity theft when her Facebook account was taken over by hackers.  The hijacked account was then used to send messages to her friends saying that she was stranded overseas after being robbed and requested that money be wired to her to help her get back home.

The victim became aware of the hijack only after a friend phoned her from Singapore to verify the story.  This was unfortunately too late for one other friend who had already wired $1000 to the scammers.

This type of phishing scam occurs all too often on free social networking services due to several combined factors.Firstly weak passwords are an easy attack vector for hackers.  Most social networks do not require strong, complex passwords, and the perceived risk to most regular people is very low.  Where a person might consider their online banking password to be important and worthy of complexity, the password they choose for a fun social networking service just needs to be easy to remember.

Compounding this problem is weak password recovery systems.  These are often based on questions such as “What is your pet’s name?“, information that many people readily reveal about themselves online.

The hackers were also able to change the account’s password and email address, preventing the victim from recovering the password herself.  Stronger authentication systems will require the account holder to click a link in a verification email before allowing such important changes, which would have notified the victim of the hacking attempt as well as thwarting the email address change by the hackers.

Along with the weaknesses in social network backend security the nature of the networks themselves makes them ripe for these types of phishing scams.  Messages from friends come with a higher perception of trust than messages from strangers, lowering our usual threat awareness level.

The hackers can also target their messages more effectively by analyzing the personal information that people reveal to their online friends.  Spam messages can be crafted around people’s listed interests and recent conversations.  For example, if I were to ask my online friends for recommendations for my wife’s birthday a spammer who has hijacked one of my friends’ accounts could send me links to counterfeit perfume websites.  Again this message would carry a much higher perception of trust being from a friend, but also would tap into an interest or desire that is on my mind at the time.

The last and possibly most frustrating element of this particular incident was the support that the victim received from Facebook.  Customer service for free online services is, unsurprisingly, not very prompt.  With no phone numbers to call and only an email address to send abuse reports to (which no doubt is a very long queue of both valid and frivolous complaints) the victim was unable to rapidly recover her account to prevent further scam attempts on her friends.

This is basic social engineering at play, building trust and using targeted scams to improve success rates.  Social networks are yet another vector for hackers to perform these types of attacks, and an effective one too.  And unlike a bank who will absorb customer losses from fraud, social networks leave the victims completely exposed to these risks.

Be on the alert for unusual requests from your online friends that might be scams in disguise, and always attempt to verify them using other means such as by telephone.  And always protect your own accounts with strong passwords and secret password recovery answers.

About Paul Cunningham

Paul lives in Brisbane, Australia and works as a technical consultant for a national IT services provider, specialising in Microsoft Exchange Server and related messaging systems.
  • (required)
  • (required)