As I lay in a sugar comatose one morning after the holidays last week, my stupor was interrupted by a series of phone calls from friends alerting me that I'd contacted them through a Facebook chat session and told them I'd been mugged in the U.K. while on vacation and needed money.
"Hey, Luke. Are you okay?" one friend frantically asked over the phone. "What's going on? Have you been mugged, and what are you doing in the U.K.?"
Another friend called to tell me, "Hey buddy, I think your Facebook password has been hacked. I'm getting IMs from you telling me you've been mugged and need money."
I ran over to my computer and saw half a dozen "chat" conversations that basically went like this:
Lucas Mearian (a.k.a. The Hacker)
How are you doing?
Hey, Lucas. Good. You?
Am not too good at the moment,I and my family are in a deep mess right now
We are currently stuck in (United Kingdom),went there on a short vacation and was mugged at a gun point last night
Kim [my wife] was hurt
Holy ####! I'm so sorry.
I was hurt on my head, writing you in tears now as we speak, All cash and credit card was stolen off including phone, it was a brutal experience and horrendous
Have you contacted the authorities?
We are freaked out here, have been to the embassy and the police they are not helping issues at all i was ask to come back in three weeks time....
Thank God we still have our life and passport with us......I need your help??
What can I do for you?
Our return flight leaves in few hours to this time and we are having a problem in sorting the hotel bill and get a cab down to the airport...Wondering if you can lend me some few $$$ i promise to refund it back to you as soon as we get back home tomorrow???
i only need $500 to add up
The hacker goes on to ask that the money be sent to another name and address in the UK via Western Union money transfer.
Thankfully, my friends are security savvy and they also know I'd never use a social network to ask them for money if I were ever desperate. The extremely poor grammar used in the chat threads was another red flag for them. I am, after all, a writer by trade.
After discovering the chat sessions, I changed my password and logged out. That stopped the phishing scam in its tracks. I then posted a general message on my wall alerting all my friends to the scam, but I was left with an uneasy feeling. How could someone have hacked my password? It was alphanumeric and the word I used was not common: It was the name of a childhood pet that no one other than my brother and my now deceased parents knew about.
I was also taken aback by the fact that a warm body had been sitting behind a keyboard conversing with my Facebook friends in real time. Phishing scams are traditionally conducted through zombie computers that distribute emails. It's pretty common to have received a phishing scam via email from a co-worker or other colleague. I wouldn't have thought twice about that.
This Facebook hack was more nefarious, and as I was to learn, rare but not unique.
As I alerted the friends who had been involved in an ongoing Facebook chat with the hacker that it was not I, the hacker would discontinue that thread and open a new one with another friend. It quickly became a bit like Whac-A-Mole. Worse, after I posted the general message on my Facebook page alerting friends to the phishing attack, the hacker then changed my privacy settings from public to private so that only I could see the posting. I caught that one quickly; that's when I changed my password and logged out before logging back in and changing my privacy settings to "friends only".
I've since thought long and hard about how someone could have hacked my password. Sure, I'd used the password on other sites (all of which I've now also changed). That may be one route a hacker could have used -- an old compromised credit card or retail site customer database.
As I have no facts with regard to how the attack could have happened, I can't say that my Facebook account was actually "hacked". A Facebook spokesman said after reviewing my page, it didn't appear to have been hacked, and it was more than likely a case of a scammer getting the password from another site where I'd used it before. Fair enough, I had used that password on some other sites.
While Facebook chat phishing attacks like mine are rare (it takes a lot of time and effort to chat with and scam multiple friends) the spokesman said they are "high impact" when they happen because they can appear the most authentic and can be some of the most succesful phishing schemes.
Facebook calls these phishing attacks "I'm stuck in London scams" or "4-1-9 schemes", a common term that comes from an infamous Nigerian scam where someone asks for money to address an urgent need
Specific things users can do to protect themselves:
Facebook claims that they search for instances of these attacks, looking for suspicious chat sessions where the same message is repeated multiple times, indicating spam or scams.
If you find yourself a victim of this type of hack, Facebook recommends going to its security page and using its anti-hacking tools to lock your Facebook page down. Facebook then offers steps for you to reauthenticate your account before being allowed to change the password and log back in.
"It locks out the account so whoever has your current password can't keep using it," the spokesman said. "It then allows you to reset your security question, add a mobile phone number, asks if you want to use two-factor authentication or have another way to get back into your account," he said. "It also lets you go back to previous iterations of the account to address any changes the hackers made."
The spokesman said Facebook has also worked with law enforcement to investigate cases and with Western Union to improve education. Western Union has posted a warning about this type of scam on its website. Western Union claim it has also alerted its branches in London, where the scammers are picking up the money.
The U.S. Federal Trade Commission on its website also has some good information about what victims of this scam should do.
The bottom line is that, unfortunately, you can almost count on someone gaining access to one of your accounts, whether it's a credit card, retail, or social networking site. It's best to be prepared. And you might want to think about how much information you post on your page as this will be used to make the phishing attack seem more authentic.
Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at @lucasmearian or subscribe to Lucas's RSS feed . His e-mail address is firstname.lastname@example.org.