The estimable Gadi Evron has posted an article at DarkReading about a dialogue he was caught up in on Facebook. One of his contacts popped up in a Facebook Chat window and told him how she’d been been held at gunpoint and robbed in London, losing her credit card, cash and mobile phone.
Well, having lived in London for many years, I can vouch for the fact that violent muggings do happen in London (though more often with knives than guns), but regular scamwatchers will see where this one is going – the “stranded in X with no money” hook has been used a lot in the past 12 months: indeed, late in February 2009, UK politician Jack Straw was the victim of a case of similar identity theft when his constituents received email from his account, advising them that he had lost his wallet in Lagos and needed $3000 to settle his hotel bills and get home. Of course, the mail didn’t come from Straw, but someone who’d managed to phish or otherwise obtain his Hotmail password account.
You can read the details of Gadi’s brush with the lawless, impersonating one of this Facebook friends, at DarkReading (see above) but here are some points I thought were particularly interesting.
Gadi apparently hadn’t come across this particular scam before, but as a very smart guy with huge security experience quickly noticed some odd inconsistencies in the story he was being told. Not everyone has those advantages, but most of us can survive this sort of social engineering most of the time with a little critical thinking, and an understanding that not everyone on Facebook (Myspace, Twitter etc) who they seem to be (of course that’s true of older forms of interaction, too. More to the point in this case, someone who is indeed your friend can lose control of his or her account.
There’ve been less high-profile cases than the Jack Straw case, and forms of messaging other than email have been used: various IM services have been used, and many people are aware by now that such services are not inherently secure. However, the subversion of a known good account may be less easy to spot because when an account on Facebook, LinkedIn and so forth is broken into, the scammer doesn’t only get the messaging service, but a whole load of supporting “evidence” that he is the account owner: unfortunately, profile details and photographs don’t suddenly change to reflect the “change of ownership.”
However, common sense usually offers some protection: for instance, it’s usually a bad idea to send money online (especially by services like Western Union that offer scammer-friendly anonymity). As Gadi points out, there’s a brief but to-the-point Facebook security page here that offers some useful advice on such issues (including this type of scam).
David Harley BA CISSP FBCS CITP
Author David Harley, ESET