Did you know that Facebook makes it easy for others to steal your identity? Since every person in a given group needs the company or school url in their email address to join, you might think everyone in that group is legit. Wrong. In fact it is very easy to set up a fake account, join various groups and then pose as a human resources contact to grab your login information.
Steve Stasiukonis, vice president and founder of Secure Network Technologies Inc., tested his clients network using a bogus identity, and joined the companies Facebook site and started mining the names and email addresses of individuals who identified themselves as employees.
As he collected a database of names for a penetration test in the phish, he secured a domain name similar to that of his client. This domain name took on the appearance of a human resources or benefits portal. When he emailed the employees as “human resources,” they were redirected to a Web page, such as https://www.xyzcompany-benefits.com.
He has been able to accumulate significant numbers of emails for phishing targets from Facebook and other social networking sites. When he launched his company’s Facebook spear-phishing attack, he usually got an average response rate of 45 to 50 percent. So nearly half of the employees responded to an email with the logins and passwords they use on their employers’ network.
Next the hacker can use your login run a Nigerian or “419: scam. via MSNBC:
Bryan Rutberg’s daughter was among the first to notice something odd about her dad’s Facebook page. At about 8 p.m. on Jan. 21, she ran into his bedroom and asked why he’d changed his status to: “BRYAN IS IN URGENT NEED OF HELP!!!”
Rutberg initially thought little of it, and lay down for an after-dinner nap. But an hour later, when his wife woke him to ask what was wrong, he took a second look and realized his Facebook account had been hacked. Within minutes, his cell phone was ringing non-stop, with concerned friends calling to offer help. Many had received an e-mail with the story that Rutberg had been robbed at gunpoint while traveling in the United Kingdom, and needed money to get home. One even sent $1,200 to a Western Union branch in London.
The Seattle resident and Microsoft employee then spent the next 24 hours in a frantic search for a way to contact Facebook and stop the hackers. But he was locked out of his own account and locked into a Catch-22; criminals had changed his login credentials so he couldn’t access his own Facebook page. That meant he couldn’t remove the dire status message.
He tried to use his wife’s account to put a message on his “wall” indicating he was fine, but the scammer had “de-friended,” his wife, so that didn’t work. And he had no outside-of-Facebook way to contact many of his friends. Before he succeeded in getting his account deactivated, a friend’s impulsive generosity had cost him big-time, and Rutberg was left wondering how carefully Facebook protects its users from these kinds of crimes.
“It was all over by Thursday (the next day) but not without a hell of a lot of drama,” Rutberg said. By then, friends had filled up his cell phone with text messages of concern, sent endless e-mails, and one even called Microsoft to warn the firm that an employee was in trouble.
Rutberg was the victim of a new, targeted version of a very old scam — the “Nigerian,” or “419,” scam. Web criminals are getting much more personal in their attacks, using social networking sites and other databases to make their story lines much more believable.