Phished facebook friends may be sharing your info

What’s going on?

Ten days ago I received a received a facebook message from an old friend who I hadn’t talked to in over two years. Funny enough, it was also sent to about 500 other people and suggested I visit some shady website ending in “.im”. Turns out it’s a phising scam—i.e. it looks like facebook (but the url is something other than facebook.com), you think you’re logging in and give them your username/pass, and they redirect you back to facebook so you think nothing happened. Despite all the buzz about it on facebook and the internet in general, I have already received two more similar messages from different friends.

Why it matters to everyone.

There has been a lot of speculation about what the phishers plan to do with the data that they have stolen. A Wired article (link is now dead wired.com/politics/security/news/2008/01/facebook_phish) suggests that phishers may: (1) try to use these accounts to send out links to trojans (2) try similar usernames and passwords on other sites like eBay or Amazon or (3) “super-sneaky crooks” may try to use profile information to send targeted spam.

There's one big thing missing from that list… even though these phishers never tricked me into giving them my password, they got access to my friend's account and now they can view my profile. This means they can see my email address, hobbies, favorite this and that, and even—if I choose to show it—my home address and cell phone number. If these phishers really are “super-sneaky crooks” they’re not just stealing personal data from the people they trick, but from all of their friends too. Even though it was reported that these scams have only affected a fraction of a percent of facebook’s users, it’s conceivable that they have had the potential to access a majority of the email addresses on facebook. There’s a lot of money to be made by selling this information to spammers and—who knows—maybe even call centers and mass mailers.

Let’s look briefly at the numbers. A fraction of a percent of all users have been affected, maybe that’s 0.5% (1 in 200). That’s not so small if you realize that the average number of friends for a college kid is probably > 300. If you have a network this large, chances are that one of your friend’s accounts was compromised and now your email and private data may have been compromised too.

What can you do about it?

You have two options. (1) Hide all your contact info—even your email—from everyone, including your friends. It's a little hard to find, but facebook offers very fine-grained controls over your privacy settings. People who don't have your email can still contact you with a facebook message. Your other option is (2) hope that facebook does something to solve this problem. Unfortunately, I’m not so sure what facebook can do about it, attacks like this can happen to any social network. Bummer.

Update: while I was on vacation recently, I noticed that Facebook has added a new security feature to try to protect against phishing attacks. If someone logs into your account from an ip address that you have never personally used on facebook, they will ask you a security question like, "What is your birthday." Even if a phisher had your login credentials, they wouldn't be able to answer this question. This extra check seems pretty effective, except any intelligent phisher would of course add this step into their own phishing site.