1.5 Million Facebook Accounts for Sale in Web Forum, VeriSign Reports

Signing up for Facebook is free. But that doesn't mean attackers will have trouble turning a profit if they get their hands on your user credentials.

Just how much money can be made is illustrated by new findings from VeriSign iDefense, which uncovered a cyber-crook on an electronic fraud forum selling 1.5 million Facebook accounts at a price of $25 per 1,000 accounts with 10 contacts or less. For accounts with more than 10 friends the going rate was $45 per 1,000.

The hacker, who went by the name "kirllos," is believed to be from Eastern Europe based on the language being used (Russian) and the forum in question, iDefense reported. It is not known whether or not Kirllos is linked to the well-known Koobface crew or any widespread phishing attacks.

"As highlighted by Facebook security personnel themselves, these accounts can be used in money transfer schemes similar to Nigerian 419 scams," noted Rick Howard, director of cyber-intelligence at iDefense. "But they can also be used for data mining to support other fraud operations.

"Once you have the name and address and other profile-type information from a social networking site, you can use it to corroborate your way into debit card accounts and bank accounts through social engineering, " Howard added. "You could also use these accounts as a platform to distribute malware through the friend system. Even as a security guy, I have to double and triple clutch when it comes to accepting friend invites from people that I do not know."

Facebook couldn't readily offer specific statistics on the number of compromised or malicious accounts it has recently detected or suspended, but Facebook spokesperson Andrew Noyes said "malicious actors are always attacking the site." Compromised users undergo a remediation process to reset their password and take other necessary steps to secure their accounts, he said.

"We've built numerous defenses to combat phishing and malware, including complex automated systems that work behind the scenes to detect and flag Facebook accounts that are likely to be compromised based on anomalous activity like lots of messages sent in a short period of time, or messages with links that are known to be bad," Noyes told eWEEK. "Once we detect a phony message, we delete all instances of it across the site. We also block malicious links from being shared and work with third parties to get phishing and malware sites added to browser blacklists or taken down completely."

People still do not treat Facebook messages with the same level of suspicion they would if they received an e-mail or instant message with a suspicious link, said Andrew Brandt, Webroot Software's lead threat research analyst.

"Because there's an inherent and unfounded trust in those messages/wall posts/whatever, the recipients are more likely to be convinced to engage in a risky behavior, like clicking a link that leads to a malicious Website," Brandt said. "In the end, a stolen Facebook credential is like a skeleton key to social engineering attacks against every family member, friend or acquaintance of the person whose Facebook account has been compromised. The more friends the user has, the more valuable the credential."

Malware can obtain credentials via keylogging or by stealing the data contents of Facebook cookies that store the permissions that permit a user to log back into the service without a password, Brandt explained. Phishing pages are also a common ruse, and take on the appearance of the Facebook log-in page to trick users into entering their credentials, he said.

Even accounts with no friends can be used to spread malware through social engineering. Howard recommended that users be careful not to simply accept the default setting of social networks, and to make sure they have adjusted the privacy settings to their liking.

"Facebook, in particular, has a security configuration page that is not intuitive for the average user," he said. "Have the security people in your organization devise a recommended policy regarding the security configuration for corporate users."