Verisign Inc. (Nasdaq: VRSN)'s iDefense Labs is reporting that a Russian hacker calling himself "kirllos" is offering Facebook accounts on the down-low. For just $25, you can get 1,000 login credentials for accounts with fewer than 10 friends each; or for $45, the same number of accounts with more than 10 friends.
Why so cheap? There are likely two reasons for the low price. First, the low friend counts probably point to most of the accounts being bogus scam accounts created by robots that then auto-troll for friends. Second, having access to the Facebook accounts and actually making money from them are two different things. Unlike email logins or credit card information, turning a Facebook account into scammed cash takes a little more effort and ingenuity -- much of which can't be automated, as can email scams.
In fact, according to Symantec Corp. (Nasdaq: SYMC)’s latest Internet Security Threat Report, email user names and passwords are going for up to $20 each. Credit card lists are often higher. Compare that to the 25 cents for a Facebook login.
The New York Times reports that kirllos has access to 1.5 million Facebook accounts -- nearly 1 in 300 of Facebook’s estimated total account tally.
Facebook denies this is possible and says that kirllos is well known as a big-mouth in the hacker community. When Facebook's own investigators attempted to purchase accounts from the hacker, they were never delivered the goods.
When this reporter attempted to contact Facebook for a direct reply about this hacker and VeriSign's report, no one could immediately respond.
Another source acknowledges the problem of fake accounts on social networks, not just Facebook. “There are tons of fake accounts on [Facebook], though [a] small percent compared to the numbers on Twitter. I'd guess under 5 percent are fake on Facebook versus 20 to 25 percent on Twitter,” states Brian Breslin, CEO of Web development firm Infinimedia, in an email.
He sees the issue as out of the site owners’ control: “Facebook itself is pretty clean of malware, however, they can't be
responsible for the offer ecosystem that is built around the games. Third- and fourth-party ad networks are the ones who need to be held
responsible for not screening their offers. Once they crack down on
those networks, we'll see the malware evaporate.”
Some users on Facebook have been compromised before, and Facebook's own safety and security pages give the two most common types of account compromise: phishing and money transfers.
Phishing is a simple scam in which a hacker gains access to a user's account and then sends emails, messages, or other contacts to the account's friends, attempting to get them to click a link or otherwise visit a Website that will ask for personal information (likely a Facebook or payment service login). These work well, simply because most people believe the messages come from trusted friends.
Money transfer scams are more straightforward and are simple requests from the hacker (using the compromised account) to get money from friends.
Facebook's site says that they work hard to restore (rather than ban) compromised accounts, trying to detect how an account was compromised and re-securing it for the original user so all is not lost.
While the claims of kirllos may be exaggerated, it’s clear that social networking sites like Facebook and Twitter are often targets of attack. So protecting yourself is more than just keeping your PIN numbers hidden and not divulging your SSN through email. Nowadays, it takes a lot more vigilance.
"The usual stuff applies no matter where you are on the Web," says Raphael Caixeta, an independent Web developer and entrepreneur based in Florida. "Use passwords that aren't linked to other accounts, that do not have easy-to-guess words in them, and especially do not log into your accounts from public computers or over unsecured WiFi connections. Most importantly, only friend people you really know and do not follow links blindly just because one of your friends sent it to you. Look at the URL and make sure you know where you are going."
— Craig Agranoff is an entrepreneur and national social media consultant as well as a published specialist in online reputation management and monitoring.