Your Facebook Profile May Be Sold by Russian Hacker
Want to hear some good news? We now know exactly how much your Facebook profile is worth on the open market: Between 25 and 45 cents, depending on whether you have more than 10 friends.
The bad news? How we found out.
According to Verisign's iDefense, a Russian hacker known as Kirllos is selling 1000 Facebook IDs at a pop for $25 (if you have 10 friends or less) or $45 (if you're in the 11+ friends crowd). Thus explaining that rash of bogus Facebook password reset spam I got last month. He's apparently successfully phished log ons for some 1.5 million Facebookers, which he's now hawking on the antichat.ru forums.
Is your account one of them? There's really no way to know for sure, unless you're seeing stuff posted under your name you didn't put there. But if you've recently responded to an email purporting to be from Facebook asking you to log into your account, there's a very strong chance the answer is yes. (I'd recommend logging in and changing your password to something tricky. Do it right now. Go on, I'll wait.)
What can some miscreant do with your Facebook identity?
* He can use it to infect other Facebook users by posting links on your friends' walls to Web sites containing malware, a la the Koobface worm, which has been tormenting users of Facebook, MySpace, and Twitter for two+ years. Koobface can suck your PC into a botnet, at which point it doesn't really belong to you any more.
* He can use it to run big-money con games on your friends, a la the infamous "London Scam" in which a cybercrook pretends to be an old friend of yours who's stranded overseas and needs you to wire him cash -- fast. The London Scam took at least one U.S. victim for $4,000. Unlike Nigerian 414 scams, which requires mind-numbing stupidity on the part of its victims, the London Scam directly attacks affluent, college-educated, computer literate people. (I had a friend who got approached by the same scammer, who was seriously considering wiring the money until I explained what was going on.)
* He can use it to embarrass, harass, or blackmail you. Want to ruin someone's reputation in a hurry? Log on as them and post humiliating or hateful content on their page.
But here's the bigger threat. Facebook really wants to be the single sign-on engine for the Web (see "What's to like about Facebook's 'Like' button?"). So a Facebook log on isn't just a Facebook log on anymore; it's also a log on to sites like Unvarnished, the Huffington Post, and any others that use Facebook Connect. If that's not an argument against using Facebook for single sign on, I don't know what is. Even if you don't use FB Connect, most people tend to use the same log ons for multiple sites; once a crook has your email address and favorite password, he can go to town on you. Nervous yet?
Bottom line: Your Facebook credentials are important, and only getting more so. If you want to protect yourself online, you'll need to protect them as well. Start by mixing up your passwords for your favorite sites, changing them semi regularly, and not getting duped by every stupid email marked "urgent."
Also: I gotta say I find this whole thing kind of insulting. I've got 700+ friends. I think my account is worth at least $1.50. Don't you?
When not not-getting duped, author Dan Tynan gets dopey at eSarcasm, his humor site for geeks who are not easily offended.