This is the story of how “devious cyberjerks” (her admirable phrase) locked out one Facebook user, hijacked her account, spammed her friends, stole her email account, compromised her bank account, cashed credit card-linked checks, and tried to pawn off what she considered to be some truly godawful gold lamé sneakers.
(I know what you’re thinking: what’s so bad about gold lamé sneakers, and where can I get them? Answer: I’m working on it and will provide updates in the comment section.)
The Facebook persona of Donna Estes Antebi – business woman, patent holder, writer, blogger, and children’s rights advocate – was hijacked by the “devious cyberjerks”, who used her account to hawk what she calls “knock-off, gold lamé, tricked-out Nike sneakers”, she wrote on Huff Post last week.
Fred Wolens, of Facebook Policy Communications, told me that the hackers were able to take advantage of a flaw in the site’s account recovery process that the company has since patched.
While all of Facebook’s account security emails contain a disavow link to prevent an unwanted reset, he said, the attackers added Donna’s email to a newly established account.
So while the recovery procedures were working just fine, they were trying to remediate Donna into the new dummy account, rather than her established profile, he said.
To its credit, following Ms. Antebi’s problems, Facebook added an option to recover accounts based on both current and former linked emails.
But in the timeframe of her hacking ordeal, prior to the addition of the new account recovery ability, here’s what the hackers were able to do:
- They locked Ms. Antebi out of her account, changing the URL from its original www.facebook.com/donnaantebi to www.facebook.com/losokana (both accounts were offline when I checked).
- They used stolen registration information – password, email and cell phone number – to set up a new account in her name, www.facebook/antebi.donna (now offline).
- The criminals pre-loaded the new account with Ms. Antebi’s friends and personal photos.
- They spammed her friends with fake Nike solicitations.
- The hijackers pretended to be her, responding to friends who questioned if it were really her by spamming them about sneakers (when she in fact never espouses heel-less shoes) by answering, “Oh yes, I just really love these Nike shoes!”
- Her email account was taken over, her banking was compromised, and two checks linked to her credit card were cashed.
What makes matters truly maddening is that once the hijackers had control of her Facebook account, Ms. Antebi couldn’t go through Facebook’s normal help channels, as she writes:
The hackers' new party trick was effective. Changing the name of my URL, and setting up a decoy account, meant that all of my complaints and subsequent Facebook security solutions bypass my real account, which is no longer under my name, and instead, get redirected to the fake Donna Antebi account. The hackers made it impossible for me to correct the problem via computer complaining -- which is the only frustrating way to communicate anything to Facebook. Genius.
Every day since April 22, 2012, I have emailed back and forth with a Facebook robot in their virtual complaint department, trying in vain to regain custody of my account. All the usual, "reset your password," "send a code to a trusted friend," or "show your identification" solutions continue to be redirected to the fake account. It's maddening.
She then tried calling Facebook but got stonewalled by the simple fact that Facebook doesn’t offer customer support.
So how does a Facebook account get taken over?
As Antebi discovered when she Googled “how to hack Facebook,” there are scads of services ready to take your credit card payment (or cash, or better yet, Western Union; any alarm bells going off yet?) to crack a Facebook account password.
Hack-Facebook.net is representative of that lot, though it’s on the higher end of the psuedo-professional scale with its “user ratings”, “free trial” download, and user testimonial video.
If the offer to help people hack Facebook as an act of revenge wasn’t enough of a red flag, the bad English would hopefully scare most people off from this type of service.
One assumes that one shouldn’t input credit card details into sites that offer illegal services such as these, let alone click on their videos.
I wrote to Ms. Antebi to find out how her password may have been cracked, but I hadn’t heard back by the time this article posted.
Some of the things I wanted to know:
- What were her Facebook and email passwords? Knowing the passwords would give hints as to their entropy. (Of course, revealing her passwords wouldn’t infringe on her security now that her Facebook account has been shut down and, I would hope, her email account recovered.)
- Did she use the same password for multiple sites? If so, it’s easy to see how the Facebook hijacking could have been followed by the bank account/credit card compromises.
- Was she socially engineered? Did she recently provide anybody with the information they’d need to get her password reset? Was it phished via email? If so, the lesson here is to not send personal information or otherwise respond to inquiries you didn’t initiate.
- Did she open any attachments? Doing so could have installed a keylogger that recorded her password(s).
There are far too many ways that we can make ourselves into sitting ducks for this type of victimization.
As Antebi’s ordeal has illustrated, once your Facebook account gets compromised, getting it back is hellish. Hopefully, the additional recovery options Facebook has added will mitigate that migraine.
But Antebi is right: Facebook should provide customer support outside of robo-computer means.
On the customer service issue, Facebook’s line is predictable: robo-service enables it to “efficiently and effectively” (read: cheaply) serve its nearly 1 billion worldwide users, Wolens said.
At any rate, it’s good to note that you’ll get better results if you go through the www.facebook.com/hacked portal, he said:
Through email correspondence, our User Operations Team is able to verify the account owner via their email address and use automated methods to prioritize requests, making sure we're handling the most critical requests firsts. Additionally, we offer self-remediation through our www.facebook.com/hacked portal as we have found that users are more satisfied and can recover quicker with a self-service option.
It all boils down to the security hygiene you read all the time – Keep your passwords strong. Don’t share your email account with others. Don’t click on unsolicited links in emails.
Hopefully, that hygiene will keep most of us from ever having to try out Facebook’s new account recovery step.