Security: Stolen Facebook Accounts Being Used to Phish for Money from Friends

Facebook has been investing heavily in security in recent years – especially in its crusade against the Koobface worm – but one new approach to phishing on Facebook may be cropping up.

In a blog post yesterday, SnapStream CEO Rakesh Agrawal published a transcript of a Facebook chat he had with Facebook friend Matt Finkelstein in which “Matt” asked him to wire money to help him buy a plane ticket and leave the place where he was supposedly stranded. However, Agrawal became suspicious, and had the wits to ask the person using his friend’s account a question that only his actual friend Matt would know. When “Matt” responded incorrectly, Agrawal knew that his real friend’s account had been compromised, and that he was indeed talking to a scammer. The scammer then cut off communication with Agrawal when s/he realized they had been found out.

This problem does not seem to be very widespread currently. When asked about this type of attack, a Facebook spokesperson told Inside Facebook:

This is a very low volume attack, affecting only a small number of users, but the potential impact to an individual user is high so we’re taking it very seriously.  Our team has already detected various trends in the accounts of users who have been compromised.  We’re using this data to quickly surface compromised accounts, ideally before the spammers have gotten very far.  When we find compromised accounts or they are brought to our attention, we’re working to make sure the accounts get back to their rightful owners as soon as possible. First, we are disabling the account because, in some cases, the spammer has added a new contact email address and removed the old one.  We then ask that the rightful owner to contact our user operations team via this contact form.

We’re reminding users to be very suspicious of anyone, even friends, who ask you over the Internet to send money.  Please verify their circumstances through some other means than the web (e.g. call them or mutual friends).  If you see something that looks amiss with any of your friend’s accounts, please report it to us through one of the contact forms on the site.  These and other security tips can be found on our security page.

Facebook’s security staff has been employing a multi-pronged approach to prevent and fight fraud when it arises inside Facebook, consisting of both user education and investing in advanced automated fraud detection systems. Facebook’s continued investments in security are vital to the company’s future as it stewards enormous volumes of trust (and data) from its users.

Here’s the full transcript of Agrawal’s chat:

whats up?

7:20am Matt
whats up?

7:20am Rakesh
Hi Matt
Everything OK?

7:21am Matt
well,im really stuck here in london
i had to visit a resort here in london and i got robbed at the hotel im staying

7:22am Rakesh
ack… that’s terrible. Sorry to hear it.

7:22am Matt
we just want some helo flying back home

7:23am Rakesh
So why are you stuck there?’

7:23am Matt
all my money to get a ticket back home got stolen

7:25am Rakesh
I didn’t understand this “we just want some helo flying back home”

7:25am Matt
actually i got some money wired to me to catch a flight back home
but we still need $800 more to complete our ticket fee and fly back home

7:26am Rakesh
Honestly, it sounds like someone’s hacked your Facebook account and is using it to defraud your friends.

7:26am Matt
i have the money in my checking acct,i cant just access it from here
this really me
Lauren is here with me
and my kids

7:28am Rakesh
your wife’s name is on your profile page

7:28am Matt
what about my kids name?

7:28am Rakesh
in photos?
how do we know each other? when did we meet?

7:29am Matt
from school

I do not know this guy from “school”… So when I responded and he figured out that I was on to him, he blocked me, etc.  I tried emailing Matt at his e-mail address, but who knows if that address was his real address or not…