It started with a phone call around 7.30pm on Wednesday night, January 14th. A concerned friend was calling from interstate.

“Mark, where are you?,” he asked.

“I’m at home. Why?” I replied.

“So you’re not in London?”

“No.”

“And you haven’t been robbed at gunpoint and had your wallet stolen?”

“No! What on Earth are you talking about?”.

“Mark, I am on Facebook right now, talking to you, and you’ve just told me that you’re in London, that you have been robbed, and that you need urgent financial assistance so you can get back to Sydney”.

“Oh crap!”.

Trying to Make Contact with Facebook

I immediately tried to log into my Facebook account. The login screen reported that I had used the wrong password. I guessed (correctly, as it transpired) that the hacker had changed my password to prevent me from accessing the account. I did a quick scan of the Facebook help pages and worked out that I could request that the password be reset, with the new password sent to my email account. I clicked to access the password reset screen, and Facebook asked me for details of the email address linked to my Facebook account. I entered my email address and it was rejected – the hacker had changed the email address linked to the account (presumably to stop the password being reset). Clever.

By this time, my mobile had rung several times and I had received multiple SMS messages from concerned friends, and the stress levels were rising.

I did another scan of the Facebook site looking for a contact phone number for their Help Desk or security team. Nothing listed. I looked for a contact email address. Nada. I did a couple of Google searches looking for any trace of a contact point (nothing, with the exception of the representative of their PR company).

The only option for making contact with Facebook that I could locate was to fill out their online form for reporting password problems, which I did immediately (in fact, I did it twice, one reporting the change of password, and one reporting the on-going phishing/scam activities by the hacker). Somewhat surprisingly, I received auto-confirmations of these reports to my email address, despite the hacker having changed the email address linked to the account.

I continue scanning the Facebook site for a direct contact address, first reviewing their Terms of Service and then their Privacy policy. Bingo – the Privacy Policy page listed the privacy@facebook.com email address. I sent them an email advising of the problem at 7.54pm, asking them to contact them immediately on my mobile.

I then jumped onto Twitter to ask my contacts whether anyone knew any representatives or employees at Facebook. No such luck.

A friend told me that my Twitter stream was still showing up in my Facebook status alert box (thanks to the Twitter app I had installed on my Facebook account), so I started sending a series of Twitter messages indicating my Facebook account had been hacked. Friends also started posting similar messages on my Facebook wall, trying to warn others of the on-going scam effort (although I later learnt the hacker started deleting these as soon as they appeared).

Leveraging social networks

For the next 24 hours, I waited.

I sent off several additional emails to Facebook (to their privacy@facebook.com email account, and to the return email address from which the auto-generated responses were sent, info+nszvnfe@facebook.com). I received no further responses.

The hackers were clearly still active in my Facebook account, as attested by the number of calls and SMSs I continued to receive. Several friends who had twigged to the scam played along with the hacker, and captured transcripts of the conversations, which they sent to me. The hackers were clearly sophisticated – the stories followed very closely to a script, but they were able to adjust according to the responses from my friends. They quoted Western Union account numbers for the transfer, and prodded my friends to “please hurry” as I was still in danger.

My levels of frustration and stress were steadily rising. The source of my stress was the fact that hackers were contacting some unknown number of my friends and trying to scam money from them, and I had no idea who or how many had fallen victim to the scam out of concern for my well-being. The source of my frustration was the fact that I could not raise anyone at Facebook to respond to this on-going criminal activity.

On Thursday night, after another evening and attempts to sleep punctuated by concerned calls and SMSs, I decided I needed to try to engage with local law enforcement agencies.

Around midnight, after answering another call from a concerned friend, I started researching my options. I called the Australian Federal Police (who, helpfully, have a 24/7 telephone service). Unfortunately, while they were familiar with the issue, they were unable to help (they pointed me in the direction of ScamWatch, a service run by the Australian Competition and Consumer Commission, a government consumer watchdog, for tracking scams, illicit multi-level marketing schemes and the like. As it was after midnight, I completed an online form describing the problem.

I then found the Australian High Tech Crime Centre. Unfortunately, it seems to be little more than a brochure-ware site that does not list any contact details. It did have an online form however, so I also submitted an alert via their site.

(At the time of writing, I have not received a single response from either the ACCC or the AHTCC.)

I returned to the Australian Federal Police Web site, and located the contact phone number for the New South Wales e-crimes squad. Unfortunately, there was no answer on the telephone number listed, nor a voicemail service.

By now, it was 1.30am, and I was at my wit’s end. I decided it was time to leverage some of my “social network” to address this issue.

I am a subscriber to Professor Dave Farber’s Interesting People mailing list. I knew this list had numerous computer security researchers as subscribers. So I penned a quick email, asking for help:

Dave,

I am writing partly to vent my frustration but mainly in the vain hope someone on the IP list can help me out.

My Facebook account was hacked approximately 40hrs ago. I discovered this when I was called by a concerned friend who wanted to confirm that I was being held at gunpoint in London and desperately needed him to wire me cash (via Western Union) so I could escape the country and return to Australia. Of course, I was not in London, and it was not me he was chatting to on Facebook.

I immediately attempted to log into Facebook, but the password had been changed. So I tried to reset the password, but the email address linked to my Facebook account had also been changed. I could not access my account.

I spent an hour scanning the Facebook site looking for a contact phone number. No such luck. I completed 2 different incident reporting forms, and received auto-confirmations. I then scanned their T+Cs and Privacy notices and discovered the privacy@facebook.com email address and sent an email to that address.

40 hours later, I have had no response from Facebook, and I have been alerted by friends that the perpetrators are still active on my account, initiating chats with people begging for help and a money transfer. I just alerted several authorities in Australia (though it is now 1.30am in Sydney, so had to use online forms). Unfortunately, the Australian Federal Police (who do have a 24hr hotline) couldn’t help me (they referred me to a Scam Watch service!).

So I am asking whether anyone on the IP list has a direct contact with an appropriate stakeholder at Facebook, or some specific advice on who I might contact in the US to get the account suspended and the perpetrators locked out (or, better, traced and apprehended).

Any feedback appreciated.

Regards,

Mark

It was clearly the right step to take. Within minutes of the email being distributed to mailing list subscribers, I received numerous offers of help. Within an hour, I received an email from Chris Kelly, Facebook’s Chief Privacy Officer, indicating that my email had been passed onto him, and that his team was on the case. Within an hour of Chris’s email, I received an email from Facebook Support, indicating that the account had been suspended. The hackers, it seemed, had been locked out.

Unanswered questions

I sent an email to both Chris Kelly and the support team thanking them for their assistance. However, I could not let the matter rest, as there were too many unanswered questions.

1. How did the hacker get into my account in the first place? Did they ‘brute force’ my password, or did they appear to already know it? (I have my theory that they exploited a known security weakness in the Twitter API).

2. Which of my friends did they make contact with? (so I could contact them personally and ensure no-one fell victim to the scam).

3. Why did it take Facebook over 48 hours to respond, and only then after my public plea for help which was passed by an external contact into the hands of the Chief Privacy Officer.

(Incidentally, only yesterday – 12 days after I submitted my original incident report via the Facebook online form – did someone from the Abuse department follow-up that report, and only then it was to note that it appeared it had already been dealt with).

4. Why doesn’t Facebook publish a contact phone number or the email address of a real person (such as the Chief Privacy Officer) as an escalation point?

I have received no answers to questions 1, 3, or 4, despite following up with Chris via email.

With respect to ascertaining which friends the hackers had contact with, I received this advice from Facebook:

Unfortunately, we cannot release the information you requested unless we receive a valid subpoena or court order. You should contact a lawyer or your local law enforcement agency and discuss this issue with them. If you decide to pursue legal action, have the lawyer or officer contact us at privacy@facebook.com, and we’ll provide more information about the process.

I was also advised (rather unhelpfully) that I could also check whether there were any messages in my Facebook Inbox or Wall that might reveal who the hackers spoke to. Clearly Facebook were not going to lift a finger to help me determine whether any my my friends (that is, other Facebook users) fell victim to this criminal activity perpetrated via their service.

Not Over Yet

Unfortunately, the saga wasn’t over yet.

Once my Facebook account had been suspended, the Support team sent me an email asking me to verify my identity (i.e. that I was the original owner of the account). They did this by asking me to answer a security question that was posed during the original account creation process. Having confirmed my identity, they issued me with an email containing instructions on how to reactivate my account.

I did not want to reactivate the account until I had received some answers. Unfortunately, the hacker had other ideas.

That evening, I received still more calls. The hackers were active on my account. After it had been suspended. Before I had reactivated it.

I immediately fired off an email to Chris Kelly asking what was going on. The account was promptly suspended again. But how did the hackers get back in?

The Support team suggested my PC might be infected by a Trojan program or some similar malware, which allowed the hackers to see my email. Multiple scans via several different tools and online security services indicated my PC was clean.

They also suggested that somehow the hackers also knew my email account password (I used a GMail account as the contact point for Facebook). Possible, I suppose, but very improbable.

Facebook are yet to provide me with an explanation of how the account found itself reactivated, and who reactivated it. Presumably they have IP address logging capabilities and could easily determine where the reactivation request came from.

Media Attention

My email to Prof Farber’s Interesting People discussion list took on a life of its own. It was republished in Risks Digest as well as on the Wired magazine blog, under the amusing title of Kidnapped on Facebook.

As a result, I was contacted by a number of journalists and media outlets in Australia and overseas, who ran stories on the hacking event. Within hours of each article appearing, I would receive emails from other victims of similar incidents who were also unable to get any response from Facebook. I pointed all of these people in the direction of Chris Kelly, and most replied indicating that soon after making contact with him, Facebook was quick to respond.

(If any one reading this is having similar difficulties with Facebook, please contact me and I will put you in touch with Chris)

Does Facebook Owe a Duty?

One of the people who contacted me for assistance made the observation that he doesn’t “blame” Facebook for the lack of support, given they provide a “free” service.

Complete claptrap.

Facebook’s service isn’t “free”. Users pay for it by giving Facebook access to their personal data (which they data mine for commercial purposes), and by giving attention to the (targeted) advertisements that Facebook generates as a result. We “pay” by paying attention.

In this day and age it is simply unacceptable for Facebook to have such a pitiful incident response infrastructure. If it’s “virtual” members were citizens, Facebook would be a sizeable country. It is the custodian of private data for tens of millions of people, and that data is all too frequently being misused by criminals.

I would argue that Facebook owes a fiduciary obligation to its members to take a more proactive stance than they have to date. It certainly should immediately upgrade the infrastructure and processes that it has in place for dealing with criminal activities and identity theft.

I am still awaiting a detailed response from Facebook to my questions. I don’t hold high hope of receiving any.