Facebook Chat Hack: It Can Happen to You
As I lay in a sugar comatose one morning after the holidays last week, my stupor was interrupted by a series of phone calls from friends alerting me that I'd contacted them through a Facebook chat session and told them I'd been mugged in the U.K. while on vacation and needed money.
"Hey, Luke. Are you OK," one friend frantically asked over the phone? "What's going on? Have you been mugged, and what are you doing in the U.K.?"
Another friend called to tell me, "Hey buddy, I think your Facebook password has been hacked. I'm getting IMs from you telling me you've been mugged and need money."
I ran over to my computer and saw half a dozen "chat" conversations that basically went like this:
Lucas Mearian (a.k.a. The Hacker)
How are you doing?
Hey, Lucas. Good. You?
Am not too good at the moment,I and my family are in a deep mess right now
We are currently stuck in (United Kingdom),went there on a short vacation and was mugged at a gun point last night
Kim [my wife] was hurt
Holy sh##! I'm so sorry.
I was hurt on my head, writing you in tears now as we speak, All cash and credit card was stolen off including phone, it was a brutal experience and horrendous
Have you contacted the authorities?
We are freaked out here, have been to the embassy and the police they are not helping issues at all i was ask to come back in three weeks time....
Thank God we still have our life and passport with us......I need your help??
What can I do for you?
Our return flight leaves in few hours to this time and we are having a problem in sorting the hotel bill and get a cab down to the airport...Wondering if you can lend me some few $$$ i promise to refund it back to you as soon as we get back home tomorrow???
i only need $500 to add up
The hacker goes on to ask that the money be sent to another name and address in the UK via Western Union money transfer.
Thankfully, my friends are security savvy and they also know I'd never use a social network to ask them for money if I were ever desperate. The extremely poor grammar used in the chat threads was another red flag for them. I am, after all, a writer by trade.
After discovering the chat sessions, I changed my password and logged out. That stopped the phishing scam in its tracks. I then posted a general message on my wall alerting all my friends to the scam, but I was left with an uneasy feeling. How could someone have hacked my password? It was alphanumeric and the word I used was not common: It was the name of a childhood pet that no one other than my brother and my now deceased parents knew about.
I was also taken aback by the fact that a warm body had been sitting behind a keyboard conversing with my Facebook friends in real time. Phishing scams are traditionally conducted through zombie computers that distribute emails. It's pretty common to have received a phishing scam via email from a co-worker or other colleague. I wouldn't have thought twice about that.
This Facebook hack was more nefarious, and as I was to learn, rare but not unique.
As I alerted the friends who had been involved in an ongoing Facebook chat with the hacker that it was not I, the hacker would discontinue that thread and open a new one with another friend. Worse, after I posted the general message on my Facebook page alerting friends to the phishing attack, the hacker then changed my privacy settings from public to private so that only I could see the posting. Thankfully, I caught that one quickly - that's when I changed my password and logged out before logging back in and changing my privacy settings to "friends only".
I've since thought long and hard about how someone could have hacked my password. Sure, I'd used the password on other sites (all of which I've now also changed). That may be one route a hacker could have used - an old compromised credit card or retail site customer database.
As I've got no facts with regard to how the attack could have happened, and Facebook's PR has yet to respond to my inquiry about the incident, I figured the way to help others is to simply alert them to the attack. If you've been the victim of such an attack or have heard of others, please do post a comment. I'm interested to hear what others think about this.