An IT/business magazine called Information Age, apparently aimed at executives with interest and responsibilities in IT, hit my letterbox this morning. That's an actual magazine with real paper pages: remember those? Seeing as it's Saturday, I took it back to bed with me to look through while I had the first coffee of the day, and found an interesting opinion piece called Trapped in the Matrix (you can read it online here, if you're interested).

The anonymous author tells how her Facebook account was hacked, she thinks by a "technically savvy, vindictive ex-boyfriend". Not an uncommon scenario, unfortunately: it's a recurring theme on a "security clinic" page to which I contribute.

In this case, the victim's page was "awash with libellous material" causing her to worry about her job, friends and reputation. Not nice for her, but equally disquieting is the inadequacy of the responses she reports receiving from Facebook:

  • No-one answered the phone
  • 36 hours waiting for a response from a real person (it does sound as if it was a weekend, though)
  • When she finally got some action, it was to disable the account, not to delete it. This is a commonly heard complaint: she suggests that it's done because Facebook advertising revenue is based on the number of accounts in operation.
  • Encouragingly, a Facebook representative intending to forward her mail instead hit reply, thus allowing her to see an unflattering comment suggesting that her complaints were boring him.

She also cites an article in the New York Times by Maria Aspan, called "How Sticky is Facebook Membership? Just Try Breaking Free", so I looked for that too. Fascinating. And possibly useful: it includes a couple of resources for people who are determined to get their Facebook accounts deleted, a task that seems to be on a par with jelly-herding and nailing cats to the wall. Or something like that.

Apparently one Magnus Wallin of Stockholm has founded a Facebook group, “How to permanently delete your facebook account” which at the time the article was written (about a year ago) was close to reaching 4,300 members. While I'm having a hard time getting my head round the idea of a Facebook group about deleting Facebook accounts - is that something like a prison camp escape committee? - the size of that group certainly tells us something about the size of the problem.

The "Matrix" author also claims that if you google "hacked Facebook account" you'll get "not a list of sites committed to helping victims, but a list of sites teaching people how to hack into accounts". Actually, I'd expect to get both types of hit to that search term, plus requests from hacked Facebook account holders asking for help: and when I tried it, that's pretty much what I got. Looking at some of those links in detail, I found an interesting mixture:

  • Cries for help from victims
  • Aspiring hackers asking for information on how to do it
  • People offering hacking tools and keyloggers that were almost certainly Trojans
  • Someone called Thea who turned up on several lists asking for someone to hack into her account and delete it. Or more likely someone posing as Thea, trying to get someone else to sabotage Thea's account.

In general, the most successful Facebook attack is probably phishing via Facebook messaging or other messaging systems, including standard email. In general, this is designed either to trick people into sharing their passwords directly, or to persuade them to run malicious programs like Koobface by passing them off as patches, videos and so on. One particularly feeble-minded attack is to pass round snippets of javascript and suggest to the potential victim that he should paste it into his address bar and "see what happens". Not recommended...

Security companies are well aware of the general problems with social network sites, but sometimes threats are difficult to track, due to the proprietary nature of the network. So while you should certainly have and maintain security software such as antimalware (I can recommend a good scanner if you don't have one!!!) you shouldn't rely on it to save you from thinking about your own security. It never ceases to amuse me that so many users of social networking sites want to be my friend. The thing to be aware of is that on the Internet, not everyone who seems friendly has benevolent intentions.

David Harley
Director of Malware Intelligence