By Bob Sullivan, The Red Tape Chronicles
Bryan Rutberg’s daughter was among the first to notice something odd about her dad’s Facebook page.
At about 8 p.m. on Jan. 21, she ran into his bedroom and asked why he’d changed his status to: “BRYAN IS IN URGENT NEED OF HELP!!!”
Rutberg initially thought little of it, and lay down for an after-dinner nap. But an hour later, when his wife woke him to ask what was wrong, he took a second look and realized his Facebook account had been hacked. Within minutes, his cell phone was ringing non-stop, with concerned friends calling to offer help. Many had received an e-mail with the story that Rutberg had been robbed at gunpoint while traveling in the United Kingdom, and needed money to get home. One even sent $1,200 to a Western Union branch in London.
The Seattle resident and Microsoft employee then spent the next 24 hours in a frantic search for a way to contact Facebook and stop the hackers. But he was locked out of his own account and locked into a Catch-22; criminals had changed his login credentials so he couldn’t access his own Facebook page. That meant he couldn’t remove the dire status message. He tried to use his wife’s account to put a message on his “wall” indicating he was fine, but the scammer had “de-friended,” his wife, so that didn’t work. And he had no outside-of-Facebook way to contact many of his friends. Before he succeeded in getting his account deactivated, a friend’s impulsive generosity had cost him big-time, and Rutberg was left wondering how carefully Facebook protects its users from these kinds of crimes.
“It was all over by Thursday (the next day) but not without a hell of a lot of drama,” Rutberg said. By then, friends had filled up his cell phone with text messages of concern, sent endless e-mails, and one even called Microsoft to warn the firm that an employee was in trouble.
Rutberg was the victim of a new, targeted version of a very old scam — the “Nigerian,” or “419,” ploy. The first reports of such scams emerged back in November, part of a new trend in the computer underground — rather than sending out millions of spam messages in the hopes of trapping a tiny fractions of recipients, Web criminals are getting much more personal in their attacks, using social networking sites and other databases to make their story lines much more believable.
In Rutberg’s case, criminals managed to steal his Facebook login password, steal his Facebook identity, and change his page to make it appear he was in trouble. Next, the criminals sent e-mails to dozens of friends, begging them for help.
Bryan Rutberg
“Can you just get some money to us,” the imposter implored to one of Rutberg’s friends. “I tried Amex and it’s not going through. … I’ll refund you as soon as am back home. Let me know please.”
Like all Facebook messages, the pleading note appeared right next to a picture of Rutberg, making it all the more convincing.
One of his friends, Beny Rubinstein — a fellow Microsoft employee — fell for the story. At 10:30 p.m. that Wednesday night, he sent $600 via Western Union using an online service. The following morning, Rubenstein received a phone message from the imposter, asking for more money. So he went to a local retail store and wired another $600.
In an e-mail to Rutberg, Rubenstein explains how he got taken in.
“I thought the whole story was weird but given the circumstances my instinct was to help you out,” Rubenstein wrote. “I was afraid it was a scam, but since I transferred using your name and given the emergency situation, I did it.”
No Facebook phone number
Facebook confirmed Rutberg’s identity theft story and says it’s beefing up security in reaction to the new scam. But Rutberg isn’t sure how effective the social networking company has been. His main complaint: There is no way to call the firm and sound the alarm that a crime is in progress. The company confirms it doesn’t accept phone calls.
“We don’t offer phone support. We would love to do that but with 150 million users worldwide we are just not staffed to do that,” said company spokesman Barry Schnitt. “I don’t know any free Web service that does.”
Instead, Ryan McGeehan, a member of Facebook’s security team, said the firm responds quickly when consumers fill out forms on its Web site complaining about account takeovers and other privacy concerns.
But Rutberg said he tried that, almost immediately, and got no response. He received no reply to e-mails sent to privacy@facebook.com, either.
“Facebook has been no help through normal channels,” he said. Only a message sent to a cousin who has a friend that’s a Facebook employee got results. Thanks to this personal, internal contact, Rutberg said, the account was disabled.
How to find out who’s been hit?
But one week later, Rutberg still couldn’t get into his old account, meaning he had no way of knowing which friends had been contacted by the scammer.
McGeehan said Rutberg’s experience was unusual; identity theft victims normally have their accounts restored quickly through a process that involves e-mails from customer support with challenge questions like “What was your pet’s name.” Then, users can quickly track down friends who might be potential victims.
McGeehan confirmed that other victims had wired money in response to similar pleas for help, though he said the scam has impacted a very small number of users. Facebook won’t refund any of the victims, McGeehan said.
Facebook is also adding tools that automatically detect suspicious behavior typical of a Nigerian scammer and warns users, McGeehan said.
“We are trying to improve the process,” he said.
But Facebook has had several months to find a solution to the Nigerian scam – at least since the initial reports back in November – and it’s still failing to protect users, says Mark Neely, a Facebook user who lives in Australia, and was hit by the same identity theft scam on Jan. 14. He said he found the online security report form fruitless.
“(I) heard nothing from Facebook for over 40 hours,” he said. “The hackers were still active in my account — I was receiving phone calls and SMSs (text messages) from concerned friends throughout.”
Only after he posted a note that got the attention of Wired magazine did he get a response from the company. His account was disabled, but when asked for data showing him which friends had been contacted by the criminals, Facebook officials refused.
“Facebook told me that they could not disclose those details for privacy reasons and that I should consult a lawyer and obtain a court order for disclosure,” he said. Because his imposter de-friended nearly everyone in his account, two weeks later, he has no idea how far the scammers got. He wasn’t shy about his frustration with Facebook.
“Absolutely pathetic response times, and even worse ‘support’ in remedying the problem and ensuring none of their customers lost money,” he said.
‘Easier to pretend you’re someone else’
Kevin Haley, a director at Symantec Corp.’s Security Response team, said his firm is seeing a sharp uptick in attacks on social networks, though he could provide no precise data.
“It’s easier to pretend you’re someone else in the Facebook environment,” he said. “We are seeing a tremendous amount of phishing for login credentials for social networks.”
Rutberg isn’t sure how criminals got his password, but he thinks he probably did fall for a phishing e-mail. Because Facebook regularly contacts its users through e-mail, and includes links in those e-mails to login pages, the format is ripe for phishers. It’s easy to imitate Facebook e-mails and simply send users clicking to a look-a-like login page that steal passwords.
Haley said there really isn’t a way for antivirus software to stop such a scam.
“There’s no malware involved,” he said. “Some of it can be caught with spam filters … but really, this is just an instance of people talking to each other through e-mail, you can’t stop that.”
RED TAPE WRESTLING TIPS
Facebook’s security team recommends use of an anti-phishing filter to weed out Facebook phish. It also recommends that users pay close attention each time they log on, to make sure they’ve landed on the authentic Facebook site.
The firms also made a number of other recommendations:
• Be suspicious of anyone – even friends – who ask for money. Verify their circumstances independently, preferably by direct telephone contact.
• Don’t use the same password for all Web accounts — something many Web users do. Because Facebook is so popular, criminals who manage to steal any user’s password will surely try it on Facebook.com.
• Have more than one contact email address, in case one is compromised.
Victims of the scam — or any bout with Facebook identity theft — should fill out the form at this Web site, Facebook says. Keep the link handy: It’s very hard to find using normal methods from Facebook’s home page. http://www.facebook.com/help/contact.php?show_form=account_compromised.
