Cloned Facebook accounts hit up friends with spam and money requests

Filed Under: Facebook, Featured, Malware, Phishing, Privacy, Security threats, Social networks

Image of news desk courtesy of ShutterstockIt started in the fall, when the executive sports producer for the TV station WBAL - in the US city of Baltimore, Maryland - got a friend request on Facebook.

The request looked like it came from someone whom Chris Dachille knew, so instead of investigating who the sender really was, he went ahead and accepted.

Next thing you know, Dachille's new friend had scraped images and other information from Dachille's personal Facebook account and used it to create a profile under Dachille's name.

Using the cloned account and Dachille's friend list, the attacker then turned around and sent friend requests to Dachille's friends, many of whom accepted the overture.

As Ars Technica's Sean Gallagher reports, the attack quickly spread through the newsroom to Dachille's colleagues, with their own doppelganger Facebook accounts popping up and the attacker or attackers spamming out malicious links and using their assumed identities to request money.

It was only when Dachille's friends started to bombard him with warnings did he realize what was going on.

In an interview on WBAL, Dachille said that the idea of somebody pretending to be him and contacting his friends for money was "very troubling":

My first thought was, do they have my banking info? Do they have personal information, my [tax identification number], things like that?

Giving a stranger access to a Facebook account might not be the same as handing over our Social Security numbers, but it does give potential attackers valuable bait for phishing expeditions.

Posing as colleagues or friends, attackers can send malicious links to our friend list, as was done at WBAL. Such links could well link to malware that infects victims' computers with all manner of nastiness, including keyloggers.

In short, when we give strangers access to our Facebook accounts, it might not mean an attacker has gotten their hands on our banking information, but it certainly means that they've gotten a lot closer to it and are armed with information that's useful in carrying out phishing expeditions.

The media professionals used the "report abuse" button to alert Facebook, but it took weeks for the company to respond and take down the cloned accounts.

In fact, it took the involvement of the Maryland Attorney General, whom the station wound up contacting.

As Ars Technica's Gallagher points out, in Facebook's defense, it's difficult for the service to tell the difference between a fake account and a real one:

Many legitimate accounts share a name with another user, and the level of detail in their accounts made these clones seem genuine. [One of the reporters] told me that the duplicate account had even filled in a birthday that was close to the date of her own - information she hadn't provided in her original profile.

The victimized newsroom staffers were all using their personal accounts for both work and personal purposes, Gallagher said. The attackers not only scraped photos from the users' accounts, they also used lookalike email addresses, and, in some cases, used other personal data they obtained by getting the target to friend them.

Then they sent out friend requests to all the target's friends and repeated the process, launching spam news feed content from each of the cloned accounts.

What can a normal Joe do to claim their digital identities on, or within, social networks? Gallagher notes that Facebook offers a verified identity service for pages that are created to enable businesses and public figures to separate their personal and business personas.

Twitter, for its part, offers a blue "verified" checkmark badge to establish authenticity, but it's not open to everybody: mostly, the service concentrates on select users, such as celebrities, musicians or brands.

When someone receives a friend request, Facebook systems are designed to check whether the recipient already has a friend with the same name, along with other factors.

When people report impersonators using Facebook's built-in reporting flows, its teams review each one and take the appropriate action - including setting checkpoints (requiring additional information to proceed) or shutting down profiles if necessary.

Gallagher mentioned not being able to get to the phishy content in time to check whether it led to malware. That's actually a good sign: it means that Facebook's squashing this stuff fast when such issues arise.

That's not much consolation to WBAL, which was plagued with the attack for weeks before the clones were taken down, but again, verification is a tricky business.

Gallagher proposes that the best defense might well be to connect with others personally to ask, Is that really you? Or, alternatively to say, Yes, this is really me.

How do you prove you're you, though? Do you hand over personal data? That seems to defeat the purpose.

And how do you assume that when you're vetting a friend request, the respondent isn't an attacker who's feeding you personal information he scraped off of heaven knows where?

Your thoughts are welcome in the comments section below.

In the meantime, Facebook told me that it's aware of these reports and has developed several techniques to help detect and block this particular form of abuse.

Facebook encourages people to:

  • Vet all friend requests;
  • Beware of suspicious emails with misspellings, typos, multiple fonts or oddly placed accents; and
  • Report suspected phishing messages using the appropriate links placed throughout the service.

Facebook has more help on phishing in its Help Center.

And if you'd like to keep up to date on the latest Facebook scams and other security-related news, consider liking our Naked Security Facebook page.

Image of news desk courtesy of Shutterstock.


You might like

11 Responses to Cloned Facebook accounts hit up friends with spam and money requests

  1. Bonnie · 640 days ago

    Another thing to be aware of is how they phrase things as they talk. They dont quite have the american language down. Sometimes its to formal, or so very carefully worded. There are alot of scammers out there. If you get an invite, google image their picture. Most times you will find something that shows they are using someone elses information.

    • Lisa Vaas · 640 days ago

      Unfortunately, I don't believe that google image searching photos would raise any warning flags in the case of a cloned account, where photos have been scraped off of victims' Facebook pages.

      • You can right click on a picture and select copy image location, then paste it and search by image. It will show all the places that picture is being used. There are some young ladies using other people's photos on facebook crafting sites to make albums and sell merchandise orders. Google will show everywere that image has been used, so yes, it will help find the crooks.

    • Anonymous · 640 days ago

      There's lots you can do to prevent this. Hide your friend list so no one but you can see it. Look at how long the account has been open. Why would you add a friend who has a brand new account when you've been FB friends for a long time. Ask them first through another means besides FB. When in doubt go and block the person.

  2. I Edwards · 640 days ago

    My account was cloned, the same as detailed above. My friends warned me so I was able to get on it right away, but not at the expense of having some of my friends subjected to phishing. Now, when I receive a friend request I search Facebook to see if the name comes up more than once (that's how I found out mine was cloned). Then, I check the "born" date--the cloned ones usually have a 2013 date.

  3. Jonathan Stevens · 640 days ago

    Seems just like the old scammers from Nigeria, just using a different platform. I get so many of these "job requests" through LinkedIn and other Social that it's pretty annoying.

  4. Lisa Vaas · 640 days ago

    Or would it? Input, please?

    • Andrew Ludgate · 640 days ago

      Well, a google image search on the profile image should at least turn up the fact that there are two Facebook accounts using the same image and name -- although if you have your privacy settings locked down, you might not get that. This is one legitimate argument for making your profile image public though....

  5. Joe · 640 days ago

    This is why I rarely friend people I haven't met face to face.

  6. Cynthia · 632 days ago

    Whenever I recieve a friend request on FB, I always answer with "Sorry, but I'm not sure if I know you. Can you please tell me where we met". I do the same with Skype requests. If it´s genuine, the answer will tell me. If I don't get a reply, I block and report. Works for me.

  7. helenatrandom · 518 days ago

    I dumbly accepted a second friend request today. Since then, the account has been removed. Do I need to do anything besides check daily to make sure there isn't a second account in my name? Do I need to run a malware scan?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.