Cyber criminals hijack Facebook profiles to steal money

(17/02/2009)

Top ten list of threats are filled with password stealing malware, but it is actually very easy to guess many people's passwords for their social networking accounts. Whilst some may consider that having their account hacked is cool or a non-entity, others have found that criminals are starting to abandon the tiresome task of gathering details to steal an identity and are cutting straight to the chase.

There was recently someone whose Facebook page was hacked and his status changed to say he had been mugged abroad and could someone help. One friend even wired him money, $600 twice, after the first amount "wasn't enough".

"You go to your friend's Twitter, Facebook, Myspace page and see an urgent plea for help. Your first thought should be that the friend's account has been stolen," comments Randy Abrams, ESET's Director of Technical Education. "If you needed help immediately, would you really put it up on your Facebook page or would you be doing something else to obtain assistance? OK, I can see where someone might use Twitter, but it is a really bad idea to believe such a request is genuine."

Gathering details to steal an identity takes time and patience, even when users make it easy by giving away all their details on networking sites. With significant sums of money being offered to "friends" in distress, it is easy to see why criminals would ditch the digging and go straight for the cash. ESET expects to see this type of attack increase during 2009 and warns people that requests for help, threats of legal action, or offers of free things should always be viewed with scepticism and to investigate thoroughly before acting upon them.

The easiest way to hijack social networking profiles is to guess the password. This is because most people use really bad passwords. Using poor passwords for email or other web accounts can put friends at risk. No matter how obscure a word is, it is still easy for a computer to guess the password. No single word in any language is a good password. Always use at least two words and it is even better if a number is used as well, and a large number, like 1010 is much better than a small number.

"Remember, for a while all of the accounts on twitter were accessible using an easily guessed name and the password," observes Randy Abrams. "If you haven't changed the password on your social networking page in the past 3 months, I strongly encourage you to do so."

Related topics:  Authentication and identity management   Internet and Web security 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources