The other night while I was doing some writing sipping a cup of Pikes Peak blend at Starbucks, I popped over to Facebook just to catch up with friends’ happenings for the day. In the ticker I saw that someone I knew had friended my wife. My mouse wandered over and hovered over my wife’s name, and the popup told me I could “Add as Friend”.
Funny, I thought I had done that a long time ago (literally and Facebook speaking). I friended “her” and then posted a FB status update asking why was it FB had come between me and my wife! Several of my friends enjoyed that and we bantered back and forth a few times.
When I got home I mentioned it casually, and my daughter pulled out her phone, and sure enough she had the same experience, only she was smarter than I was (a chip off the old block!). She looked at the Profile of this new “Mom” FB friend and though it had the same Profile Picture as “Real Mom”, the email address was totally bogus. She showed it to me, and both of us jumped in to action.
I first got my wife involved, went to her FB account and changed her password. One cool thing about sites on the web in 2012 is that the really good ones will tell you when you last changed your password. Hers had not been changed in months and months, so we were relieved (but we changed it anyway).
Next I headed over to the FB help page to look for what needed to be done. Facebook must face this kind of thing a good bit because there were several obvious prepared questions (an FAQ about Facebook Phishing???).
We followed the instructions found in the FB help section, which involved a challenge response method to verify that the request was not an attempt to get FB to delete a legitimate account.
Next we began writing to the friends (9 of them within 2 hours) who had accepted the friend request, and made them aware of the bogus account.
At this point, it seems like the issue is taken care of.
But what was interesting to me in this experience is that I had seen this kind of phishing attack several months ago. A friend of ours who had lived in Asia for many years, supposedly sent out a message on Facebook to different friends ostensibly being sent from West Africa where she had travelled and met up with trouble. It didn’t ring true then, and a few days later the truth was sent out by our friend.
So when I realized what was happening, it occurred to me that the attack vector is pretty straightforward. Do a few Google searches for the name of an American (or other nationality; it’s a pretty adaptable method) who has an Internet history indicating living overseas. Match that to a public FB profile, grab the picture from the public FB profile and then create a bogus account. Send out friend requests, and after the target’s friends accept the friendship request, pull the phishing scheme.
It obviously works, because people continue to try it.
After we had taken action to get the fake account closed, one of my FB buddies told me about a time last year when he got a Chat request on FB from a friend who was ostensibly in London, in trouble and asking for help. Funny thing though, the friend was at home in Alabama (which was verified by a phone call). The scammer didn’t stay on the chat long enough for my friend to lure him in a reverse trap.
So, what can we learn? Well, for starters, just because Facebook feels more like a walled garden than the web as a whole, there are still devious people who want to take advantage of you.
Be careful, and maybe just bookmark this post (or clip it to Evernote!) in case you ever encounter a fake account phishing attack.
Have you encountered something like this in using Facebook? How did you handle it?