It started in the fall, when the executive sports producer for the TV station WBAL – in the US city of Baltimore, Maryland – got a friend request on Facebook.
The request looked like it came from someone whom Chris Dachille knew, so instead of investigating who the sender really was, he went ahead and accepted.
Next thing you know, Dachille’s new friend had scraped images and other information from Dachille’s personal Facebook account and used it to create a profile under Dachille’s name.
Using the cloned account and Dachille’s friend list, the attacker then turned around and sent friend requests to Dachille’s friends, many of whom accepted the overture.
As Ars Technica’s Sean Gallagher reports, the attack quickly spread through the newsroom to Dachille’s colleagues, with their own doppelganger Facebook accounts popping up and the attacker or attackers spamming out malicious links and using their assumed identities to request money.
It was only when Dachille’s friends started to bombard him with warnings did he realize what was going on.
In an interview on WBAL, Dachille said that the idea of somebody pretending to be him and contacting his friends for money was “very troubling”:
My first thought was, do they have my banking info? Do they have personal information, my [tax identification number], things like that?
Giving a stranger access to a Facebook account might not be the same as handing over our Social Security numbers, but it does give potential attackers valuable bait for phishing expeditions.
Posing as colleagues or friends, attackers can send malicious links to our friend list, as was done at WBAL. Such links could well link to malware that infects victims’ computers with all manner of nastiness, including keyloggers.
In short, when we give strangers access to our Facebook accounts, it might not mean an attacker has gotten their hands on our banking information, but it certainly means that they’ve gotten a lot closer to it and are armed with information that’s useful in carrying out phishing expeditions.
The media professionals used the “report abuse” button to alert Facebook, but it took weeks for the company to respond and take down the cloned accounts.
In fact, it took the involvement of the Maryland Attorney General, whom the station wound up contacting.
As Ars Technica’s Gallagher points out, in Facebook’s defense, it’s difficult for the service to tell the difference between a fake account and a real one:
Many legitimate accounts share a name with another user, and the level of detail in their accounts made these clones seem genuine. [One of the reporters] told me that the duplicate account had even filled in a birthday that was close to the date of her own - information she hadn't provided in her original profile.
The victimized newsroom staffers were all using their personal accounts for both work and personal purposes, Gallagher said. The attackers not only scraped photos from the users’ accounts, they also used lookalike email addresses, and, in some cases, used other personal data they obtained by getting the target to friend them.
Then they sent out friend requests to all the target’s friends and repeated the process, launching spam news feed content from each of the cloned accounts.
What can a normal Joe do to claim their digital identities on, or within, social networks? Gallagher notes that Facebook offers a verified identity service for pages that are created to enable businesses and public figures to separate their personal and business personas.
Twitter, for its part, offers a blue “verified” checkmark badge to establish authenticity, but it’s not open to everybody: mostly, the service concentrates on select users, such as celebrities, musicians or brands.
When someone receives a friend request, Facebook systems are designed to check whether the recipient already has a friend with the same name, along with other factors.
When people report impersonators using Facebook’s built-in reporting flows, its teams review each one and take the appropriate action – including setting checkpoints (requiring additional information to proceed) or shutting down profiles if necessary.
Gallagher mentioned not being able to get to the phishy content in time to check whether it led to malware. That’s actually a good sign: it means that Facebook’s squashing this stuff fast when such issues arise.
That’s not much consolation to WBAL, which was plagued with the attack for weeks before the clones were taken down, but again, verification is a tricky business.
Gallagher proposes that the best defense might well be to connect with others personally to ask, Is that really you? Or, alternatively to say, Yes, this is really me.
How do you prove you’re you, though? Do you hand over personal data? That seems to defeat the purpose.
And how do you assume that when you’re vetting a friend request, the respondent isn’t an attacker who’s feeding you personal information he scraped off of heaven knows where?
Your thoughts are welcome in the comments section below.
In the meantime, Facebook told me that it’s aware of these reports and has developed several techniques to help detect and block this particular form of abuse.
Facebook encourages people to:
- Vet all friend requests;
- Beware of suspicious emails with misspellings, typos, multiple fonts or oddly placed accents; and
- Report suspected phishing messages using the appropriate links placed throughout the service.
Facebook has more help on phishing in its Help Center.
And if you’d like to keep up to date on the latest Facebook scams and other security-related news, consider liking our Naked Security Facebook page.