Sophos Cloud Optix
This is the story of how “devious cyberjerks” (her admirable phrase) locked out one Facebook user, hijacked her account, spammed her friends, stole her email account, compromised her bank account, cashed credit card-linked checks, and tried to pawn off what she considered to be some truly godawful gold lamé sneakers.
(I know what you’re thinking: what’s so bad about gold lamé sneakers, and where can I get them? Answer: I’m working on it and will provide updates in the comment section.)
The Facebook persona of Donna Estes Antebi – business woman, patent holder, writer, blogger, and children’s rights advocate – was hijacked by the “devious cyberjerks”, who used her account to hawk what she calls “knock-off, gold lamé, tricked-out Nike sneakers”, she wrote on Huff Post last week.
Fred Wolens, of Facebook Policy Communications, told me that the hackers were able to take advantage of a flaw in the site’s account recovery process that the company has since patched.
While all of Facebook’s account security emails contain a disavow link to prevent an unwanted reset, he said, the attackers added Donna’s email to a newly established account.
So while the recovery procedures were working just fine, they were trying to remediate Donna into the new dummy account, rather than her established profile, he said.
To its credit, following Ms. Antebi’s problems, Facebook added an option to recover accounts based on both current and former linked emails.
But in the timeframe of her hacking ordeal, prior to the addition of the new account recovery ability, here’s what the hackers were able to do:
- They locked Ms. Antebi out of her account, changing the URL from its original www.facebook.com/donnaantebi to www.facebook.com/losokana (both accounts were offline when I checked).
- They used stolen registration information – password, email and cell phone number – to set up a new account in her name, www.facebook/antebi.donna (now offline).
- The criminals pre-loaded the new account with Ms. Antebi’s friends and personal photos.
- They spammed her friends with fake Nike solicitations.
- The hijackers pretended to be her, responding to friends who questioned if it were really her by spamming them about sneakers (when she in fact never espouses heel-less shoes) by answering, “Oh yes, I just really love these Nike shoes!”
- Her email account was taken over, her banking was compromised, and two checks linked to her credit card were cashed.
What makes matters truly maddening is that once the hijackers had control of her Facebook account, Ms. Antebi couldn’t go through Facebook’s normal help channels, as she writes:
The hackers' new party trick was effective. Changing the name of my URL, and setting up a decoy account, meant that all of my complaints and subsequent Facebook security solutions bypass my real account, which is no longer under my name, and instead, get redirected to the fake Donna Antebi account. The hackers made it impossible for me to correct the problem via computer complaining -- which is the only frustrating way to communicate anything to Facebook. Genius.
Every day since April 22, 2012, I have emailed back and forth with a Facebook robot in their virtual complaint department, trying in vain to regain custody of my account. All the usual, "reset your password," "send a code to a trusted friend," or "show your identification" solutions continue to be redirected to the fake account. It's maddening.
She then tried calling Facebook but got stonewalled by the simple fact that Facebook doesn’t offer customer support.
So how does a Facebook account get taken over?
As Antebi discovered when she Googled “how to hack Facebook,” there are scads of services ready to take your credit card payment (or cash, or better yet, Western Union; any alarm bells going off yet?) to crack a Facebook account password.
Hack-Facebook.net is representative of that lot, though it’s on the higher end of the psuedo-professional scale with its “user ratings”, “free trial” download, and user testimonial video.
If the offer to help people hack Facebook as an act of revenge wasn’t enough of a red flag, the bad English would hopefully scare most people off from this type of service.
One assumes that one shouldn’t input credit card details into sites that offer illegal services such as these, let alone click on their videos.
I wrote to Ms. Antebi to find out how her password may have been cracked, but I hadn’t heard back by the time this article posted.
Some of the things I wanted to know:
- What were her Facebook and email passwords? Knowing the passwords would give hints as to their entropy. (Of course, revealing her passwords wouldn’t infringe on her security now that her Facebook account has been shut down and, I would hope, her email account recovered.)
The takeaway, of course, is to create a strong password. Test how long it would take to crack yours with Cameron Morris’s new Passfault password analysis tool.
- Did she use the same password for multiple sites? If so, it’s easy to see how the Facebook hijacking could have been followed by the bank account/credit card compromises.
- Was she socially engineered? Did she recently provide anybody with the information they’d need to get her password reset? Was it phished via email? If so, the lesson here is to not send personal information or otherwise respond to inquiries you didn’t initiate.
- Did she open any attachments? Doing so could have installed a keylogger that recorded her password(s).
There are far too many ways that we can make ourselves into sitting ducks for this type of victimization.
As Antebi’s ordeal has illustrated, once your Facebook account gets compromised, getting it back is hellish. Hopefully, the additional recovery options Facebook has added will mitigate that migraine.
But Antebi is right: Facebook should provide customer support outside of robo-computer means.
On the customer service issue, Facebook’s line is predictable: robo-service enables it to “efficiently and effectively” (read: cheaply) serve its nearly 1 billion worldwide users, Wolens said.
At any rate, it’s good to note that you’ll get better results if you go through the www.facebook.com/hacked portal, he said:
Through email correspondence, our User Operations Team is able to verify the account owner via their email address and use automated methods to prioritize requests, making sure we're handling the most critical requests firsts. Additionally, we offer self-remediation through our www.facebook.com/hacked portal as we have found that users are more satisfied and can recover quicker with a self-service option.
It all boils down to the security hygiene you read all the time – Keep your passwords strong. Don’t share your email account with others. Don’t click on unsolicited links in emails.
Hopefully, that hygiene will keep most of us from ever having to try out Facebook’s new account recovery step.
Donna Estes Antebi image, courtesy of Twitter.
Gold sneakers and Facebook woman images, courtesy of Shutterstock
Your post doesn't include the security feature of Facebook, where it sends out an email (with IP address) every time the profile is accessed. And cashing in Bank is little extreme, hope these cyber-criminals are brought to justice at the earliest.
Ive been hacked twice in the past month and neither FB nor apple can help or do anything about it. And its shocking that FB doesnt have customer support, thankfully I was able to recover my accounts
The Problem with "But Antebi is right: Facebook should provide customer support outside of robo-computer means." is, that the customers of facebook are those big companies that pay all the ads on facebook. They prolly get prio support in about a minute…
The "normal" user has low priority because he doesn't pay any real money. Instead his private data are the "commodity" sold by facebook. Thus they prolly think robots are enough support the herd…
I have a feeling that Facebook DOES provide customer support… to their customers. i.e. those paying to advertise there. Ordinary users of their "free-and-always-will-be" service are NOT their customers. They are, rather, their PRODUCT.
Users are what Facebook SELLS to their customers.
I tried to show someone a picture from my Facebook account on my iPhone and I wondered why I couldn't sign in. When I returned home, I discovered that someone signed in from a different state. I am anal retentive about security and I change my passwords often. This is scary especially since all banks, credit cards, and financial institutions want you to use the web to save paper!!!
that happened to me too a few months ago.
Awesome, and a STERN warning to everyone out there to beef up their security on all
fronts, lest you be easier to copromise online.
My guess as to how her account got hacked is that she answered a Facebook message from hackers called The Facebook Security Team,The Facebook Safety Team,Facebook Analysis,or some other Facebook – related but not actually Facebook name.Usually these people send a message threatening to permanently close your account if you don't answer within a certain amount of time ( usually 24 hrs ).The reasons for closing the account are that you have posted offensive content,posted abusive content,or in one case that I know of,used Facebook solely for playing games on Facebook.
that is not what happened to me at all. I come here chat with family and friends via private messages, and play games. I NEVER click on anything that even resembles spam…..but the horror happened to me just like it did her.
My ultimate Facebook account security solution:
I've never had a Facebook account.
Never will.
Swore off it following an invitation to join which gave an inkling of how much Facebook already knew about me even without an account, just from the Facebook accounts of a handful of acquaintances. Not even close friends. Scary spooky.
Haven't bought their stock either.
Never will.
Matt.
It's unconscionable that Facebook has no way for her to work with a live person to help with her dilemma. They should be taken to task for this. I long ago gave up on their system which is so full of holes that it couldn't hold even a drop of water, no less your password.
I totally agree!
I'm no security expert but is it a good idea to type your password into a form field on a website other than one it it is used to log into? I am sure the password tester is trustworthy but surely we should be fostering a paranoia with passwords that means if we supply them to anyone or anything other than the login they are intended for, we have to shoot them immediately?
haha, my thoughts exactly. its kind of like that adage "if you have to ask you probably can't afford it". in this case, if you have to ask if your password isn't secure, it probably isn't. if your passwords are using as much entropy as possible and are greater than 12 characters then you don't need a password honeypot ^b^b^b^b^b^b^b checker.
Yea, I had that same reaction, and I wound up talking to Cameron about it. I added his comments as a comment to that story. You can check there for the details, but beyond the details of how he secured the safety of submitted passwords, it's open-source. You can download all the code and test for yourself to see what it's up to.
Possibly unrelated to how she got hacked, but the log-out button is your friend. And it’s a good idea to use NoScript to block javascript by facebook.com and fbcdn.net for sites other than facebook itself. I got burned by a malicious FB app that installed automatically when I visited a non-FB site, because I had NoScript set to allow javascript by FB by default. FB is a little too lax about who they allow to use their site for apps.
I changed my password and still are being hacked , how does this happen?I will just get off of fb soon because its not worth it .
As of June 30th nothing has changed in Facebook security. I was hacked, lost over 900 friends, all my credits that I had purchased for games and my AOL email was comprimised. How in the hell they did it I have no idea, but it was done between 11 am and 4 pm pacific standard time, BUT when I locked my account, it said it was done at 1:07 am, so obviously it was out of the country. Yep they were trying to sell those damn tennis shoes too. I don't want people to think you have to click on something to get hacked, I DO NOT click on anything. I will NO longer LIKE any pages. The last page I "LIKED" was the penny saver. That was the same day this all happened. So people, don't think it can't happen to you. IT CAN, because no matter how careful I was, it happened. It will change the way that I use FB from now on.
As far as Facebook helping it's customers, well I ran across the same thing that she did. There is no customer service, there is no numbers to call. Of course I am one of one billion or so, so why should Facebook care about ME! I am a drop in their bucket of wealth. I found hundreds upon hundreds of people with the same complaints as I had, there is no one to help you out. I even wrote my local television station hoping that one of their troubleshooters could help me out. That didn't work either. Thanks KNBC, Channel 4 in Los Angeles.
So people, do not click on any damn thing, don't like any adds, don't like anything. Hopefully this is the last time this happens to me. Oh yeah, when I was trying to add my friends because I set up a new account, FB was sending me a message telling me to slow down or I might be stopped from using their service. Hello, that already happened~So it would be NOT AGAIN situation.
I hope that no one will have to endure this again, but I know that is not true. As long as people make money, it will happen over and over again.
It's NO WONDER more & more people are FED up with FB & NOT using any longer!
The most important thing is not to reuse passwords. Having a Facebook account hacked may be embarrassing but it won't bankrupt you. Using the same password for your bank account might.
It happened to me, too, but I was “tagged” in an advertisement for stills to shoes 50% off. No customer support from Facebook. No help from Verizon and my email has been compromised as well as text messaging. Facebooks tech support number go to some scammers in India that want your credit card number. I feel violated.
Treat you password like your toothbrush.Never allow anyone to use it and change it every month.Many fake emails come to us threatening deactivation of the email account is full particulars including password is not submitted – simply ignore such email
I pass Facebook's head office every day. I wonder how they'd react if I turned up at their office and told them my account had been hijacked and I wanted them to fix it? Probably not well. I am in the industry so maybe I could apply to work there then drop in to the interview that I thought they needed help on security since my account had been stolen. Arrogant morons don't usually respond well to customer complaints until it is too late.
I sure wish the 'change your password frequently' idea would die. Changing an unhacked password is pointless.