How to Win Friends and Steal Their Facebook Accounts

CANCUN–Facebook is a lot of things, and one of the things that it’s become of late is a fertile green field for attackers and scammers of all stripes. The Koobface worm is perhaps the most famous threat to hit the network, but the more mundane ones, such as scammers generating fake profiles automatically to spread spam and malicious URLs are becoming more and more prevalent, researchers say.

FacebookCANCUN–Facebook is a lot of things, and one of the things that it’s become of late is a fertile green field for attackers and scammers of all stripes. The Koobface worm is perhaps the most famous threat to hit the network, but the more mundane ones, such as scammers generating fake profiles automatically to spread spam and malicious URLs are becoming more and more prevalent, researchers say.

Paul Judge, the chief research officer at Barracuda Networks, said that the research his team has done shows that the scammers and attackers are having little trouble finding new victims and methods for spreading their scams and malware. One technique that’s become quite prevalent is the automatic generation of fake Facebook profiles that are then used to gather friends and contacts to spread dodgy URLs and likejacking scams.

Many of the affiliate scams rely on users clicking on a given URL or “like” button in order to get some sort of reward, such as a restaurant gift card or discount on some expensive item. Those gift cards and discounts, of course, don’t exist and the end goal of the scammers is simply to get users to visit some page or click on ad. The attackers typically will get some commission for each click in these campaigns, and it’s not short money.

“It’s a very profitable venture,” Judge said in a talk at the Kaspersky Lab-Threatpost Security Analyst Summit here.

Barracuda Labs built a tool that’s capable of automatically crawling Facebook and identifying fake profiles, which often are the key to creating and spreading these scams. The engine looks at data on profiles such as how many people are tagged in photos, how the alleged user has set up her favorite people or musicians or movies and who that person’s friends are. What they found is that there are some fairly strong indicators that show which profiles are fake.

For example, in a fake profile the user would have several times more people tagged in a given photo than a real user would. Even in pictures that don’t have any people visible, there may be as many as 30 people tagged. Also, fake users are overwhelmingly identified as being women–97 percent–and 43 percent of the fake profiles never have an updated status.

The annoyance factor of getting friend requests from a string of fake people is one thing, but the fake profiles also can be a serious threat to actual users, Judge said. By abusing the password-recovery feature on Facebook that enables a user to have her friends vouch for her, an attacker could take over a user’s account.

“An attacker can take over a user’s account if he can get you to accept enough fake friends,” Judge said. If the attacker can get a user to accept requests from enough fake friends, he can then choose three of those friends as the ones he wants to vouch for him as the owner of the victim’s account and reset the password to one of his choosing.

And because some third-party sites and services allow users to authenticate with their Facebooks credentials, taking over a victim’s account could lead to compromises of a string of other accounts.

Suggested articles