Security researchers at VeriSign iDefense can put a price on your Facebook account. As a recent attempt to sell 1.5 million accounts shows, social networking credentials are gaining value in the cyber-underworld.
Signing up for Facebook is free. But that doesn't
will have trouble turning a profit if they get their hands
on your user credentials.
Just how much money can be made is illustrated by new findings from VeriSign
iDefense, which uncovered a cyber-crook on an electronic fraud forum selling
1.5 million Facebook accounts at a price of $25 per 1,000 accounts with 10
contacts or less. For accounts with more than 10 friends the going rate was $45
The hacker, who went by the name "kirllos," is believed to be from
Eastern Europe based on the language being used
(Russian) and the forum in question, iDefense reported. It is not known whether
or not Kirllos is linked to the well-known
or any widespread phishing attacks.
"As highlighted by Facebook security personnel themselves, these
accounts can be used in money transfer schemes similar to Nigerian 419
scams," noted Rick Howard, director of cyber-intelligence at iDefense.
"But they can also be used for data mining to support other fraud
"Once you have the name and address and other profile-type information
from a social networking site, you can use it to corroborate your way into
debit card accounts and bank
accounts through social engineering,
" Howard added. "You could
also use these accounts as a platform to distribute malware through the friend
system. Even as a security guy, I have to double and triple clutch when it
comes to accepting friend invites from people that I do not know."
Facebook couldn't readily offer specific statistics on the number of
compromised or malicious accounts it has recently detected or suspended, but
Facebook spokesperson Andrew Noyes said "malicious actors are always
attacking the site." Compromised users undergo a remediation process to
reset their password and take other necessary steps to secure their accounts,
"We've built numerous defenses to combat
phishing and malware,
including complex automated systems that work behind
the scenes to detect and flag Facebook accounts that are likely to be
compromised based on anomalous activity like lots of messages sent in a short
period of time, or messages with links that are known to be bad," Noyes
told eWEEK. "Once we detect a phony message, we delete all instances
of it across the site. We also block malicious links from being shared and work
with third parties to get phishing and malware sites added to browser
blacklists or taken down completely."
People still do not treat Facebook messages with the same level of suspicion
they would if they received an e-mail or instant message with a suspicious
link, said Andrew Brandt, Webroot Software's lead threat research analyst.
"Because there's an inherent
and unfounded trust
in those messages/wall posts/whatever, the recipients
are more likely to be convinced to engage in a risky behavior, like clicking a
link that leads to a malicious Website," Brandt said. "In the end, a
stolen Facebook credential is like a skeleton key to social engineering attacks
against every family member, friend or acquaintance of the person whose
Facebook account has been compromised. The more friends the user has, the more
valuable the credential."
Malware can obtain credentials via keylogging or by stealing the data
contents of Facebook cookies that store the permissions that permit a user to
log back into the service without a password, Brandt explained. Phishing pages
are also a common ruse, and take on the appearance of the Facebook log-in page
to trick users into entering their credentials, he said.
Even accounts with no friends can be used to spread malware through social
engineering. Howard recommended that users be careful not to simply accept
the default setting
of social networks, and to make sure they have adjusted
the privacy settings to their liking.
"Facebook, in particular, has a security configuration page that is not
intuitive for the average user," he said. "Have the security people
in your organization devise a recommended policy regarding the security
configuration for corporate users."