My Facebook Nightmare
January 28th, 2009 by admin
It started with a phone call around 7.30pm on Wednesday night, January 14th. A concerned friend was calling from interstate.
“Mark, where are you?,” he asked.
“I’m at home. Why?” I replied.
“So you’re not in London?”
“No.”
“And you haven’t been robbed at gunpoint and had your wallet stolen?”
“No! What on Earth are you talking about?”.
“Mark, I am on Facebook right now, talking to you, and you’ve just told me that you’re in London, that you have been robbed, and that you need urgent financial assistance so you can get back to Sydney”.
“Oh crap!”.
Trying to Make Contact with Facebook
I immediately tried to log into my Facebook account. The login screen reported that I had used the wrong password. I guessed (correctly, as it transpired) that the hacker had changed my password to prevent me from accessing the account. I did a quick scan of the Facebook help pages and worked out that I could request that the password be reset, with the new password sent to my email account. I clicked to access the password reset screen, and Facebook asked me for details of the email address linked to my Facebook account. I entered my email address and it was rejected - the hacker had changed the email address linked to the account (presumably to stop the password being reset). Clever.
By this time, my mobile had rung several times and I had received multiple SMS messages from concerned friends, and the stress levels were rising.
I did another scan of the Facebook site looking for a contact phone number for their Help Desk or security team. Nothing listed. I looked for a contact email address. Nada. I did a couple of Google searches looking for any trace of a contact point (nothing, with the exception of the representative of their PR company).
The only option for making contact with Facebook that I could locate was to fill out their online form for reporting password problems, which I did immediately (in fact, I did it twice, one reporting the change of password, and one reporting the on-going phishing/scam activities by the hacker). Somewhat surprisingly, I received auto-confirmations of these reports to my email address, despite the hacker having changed the email address linked to the account.
I continue scanning the Facebook site for a direct contact address, first reviewing their Terms of Service and then their Privacy policy. Bingo - the Privacy Policy page listed the privacy@facebook.com email address. I sent them an email advising of the problem at 7.54pm, asking them to contact them immediately on my mobile.
I then jumped onto Twitter to ask my contacts whether anyone knew any representatives or employees at Facebook. No such luck.
A friend told me that my Twitter stream was still showing up in my Facebook status alert box (thanks to the Twitter app I had installed on my Facebook account), so I started sending a series of Twitter messages indicating my Facebook account had been hacked. Friends also started posting similar messages on my Facebook wall, trying to warn others of the on-going scam effort (although I later learnt the hacker started deleting these as soon as they appeared).
Leveraging social networks
For the next 24 hours, I waited.
I sent off several additional emails to Facebook (to their privacy@facebook.com email account, and to the return email address from which the auto-generated responses were sent, info+nszvnfe@facebook.com). I received no further responses.
The hackers were clearly still active in my Facebook account, as attested by the number of calls and SMSs I continued to receive. Several friends who had twigged to the scam played along with the hacker, and captured transcripts of the conversations, which they sent to me. The hackers were clearly sophisticated - the stories followed very closely to a script, but they were able to adjust according to the responses from my friends. They quoted Western Union account numbers for the transfer, and prodded my friends to “please hurry” as I was still in danger.
My levels of frustration and stress were steadily rising. The source of my stress was the fact that hackers were contacting some unknown number of my friends and trying to scam money from them, and I had no idea who or how many had fallen victim to the scam out of concern for my well-being. The source of my frustration was the fact that I could not raise anyone at Facebook to respond to this on-going criminal activity.
On Thursday night, after another evening and attempts to sleep punctuated by concerned calls and SMSs, I decided I needed to try to engage with local law enforcement agencies.
Around midnight, after answering another call from a concerned friend, I started researching my options. I called the Australian Federal Police (who, helpfully, have a 24/7 telephone service). Unfortunately, while they were familiar with the issue, they were unable to help (they pointed me in the direction of ScamWatch, a service run by the Australian Competition and Consumer Commission, a government consumer watchdog, for tracking scams, illicit multi-level marketing schemes and the like. As it was after midnight, I completed an online form describing the problem.
I then found the Australian High Tech Crime Centre. Unfortunately, it seems to be little more than a brochure-ware site that does not list any contact details. It did have an online form however, so I also submitted an alert via their site.
(At the time of writing, I have not received a single response from either the ACCC or the AHTCC.)
I returned to the Australian Federal Police Web site, and located the contact phone number for the New South Wales e-crimes squad. Unfortunately, there was no answer on the telephone number listed, nor a voicemail service.
By now, it was 1.30am, and I was at my wit’s end. I decided it was time to leverage some of my “social network” to address this issue.
I am a subscriber to Professor Dave Farber’s Interesting People mailing list. I knew this list had numerous computer security researchers as subscribers. So I penned a quick email, asking for help:
Dave,
I am writing partly to vent my frustration but mainly in the vain hope someone on the IP list can help me out.
My Facebook account was hacked approximately 40hrs ago. I discovered this when I was called by a concerned friend who wanted to confirm that I was being held at gunpoint in London and desperately needed him to wire me cash (via Western Union) so I could escape the country and return to Australia. Of course, I was not in London, and it was not me he was chatting to on Facebook.
I immediately attempted to log into Facebook, but the password had been changed. So I tried to reset the password, but the email address linked to my Facebook account had also been changed. I could not access my account.
I spent an hour scanning the Facebook site looking for a contact phone number. No such luck. I completed 2 different incident reporting forms, and received auto-confirmations. I then scanned their T+Cs and Privacy notices and discovered the privacy@facebook.com email address and sent an email to that address.
40 hours later, I have had no response from Facebook, and I have been alerted by friends that the perpetrators are still active on my account, initiating chats with people begging for help and a money transfer. I just alerted several authorities in Australia (though it is now 1.30am in Sydney, so had to use online forms). Unfortunately, the Australian Federal Police (who do have a 24hr hotline) couldn’t help me (they referred me to a Scam Watch service!).
So I am asking whether anyone on the IP list has a direct contact with an appropriate stakeholder at Facebook, or some specific advice on who I might contact in the US to get the account suspended and the perpetrators locked out (or, better, traced and apprehended).
Any feedback appreciated.
Regards,
Mark
It was clearly the right step to take. Within minutes of the email being distributed to mailing list subscribers, I received numerous offers of help. Within an hour, I received an email from Chris Kelly, Facebook’s Chief Privacy Officer, indicating that my email had been passed onto him, and that his team was on the case. Within an hour of Chris’s email, I received an email from Facebook Support, indicating that the account had been suspended. The hackers, it seemed, had been locked out.
Unanswered questions
I sent an email to both Chris Kelly and the support team thanking them for their assistance. However, I could not let the matter rest, as there were too many unanswered questions.
1. How did the hacker get into my account in the first place? Did they ‘brute force’ my password, or did they appear to already know it? (I have my theory that they exploited a known security weakness in the Twitter API).
2. Which of my friends did they make contact with? (so I could contact them personally and ensure no-one fell victim to the scam).
3. Why did it take Facebook over 48 hours to respond, and only then after my public plea for help which was passed by an external contact into the hands of the Chief Privacy Officer.
(Incidentally, only yesterday - 12 days after I submitted my original incident report via the Facebook online form - did someone from the Abuse department follow-up that report, and only then it was to note that it appeared it had already been dealt with).
4. Why doesn’t Facebook publish a contact phone number or the email address of a real person (such as the Chief Privacy Officer) as an escalation point?
I have received no answers to questions 1, 3, or 4, despite following up with Chris via email.
With respect to ascertaining which friends the hackers had contact with, I received this advice from Facebook:
Unfortunately, we cannot release the information you requested unless we receive a valid subpoena or court order. You should contact a lawyer or your local law enforcement agency and discuss this issue with them. If you decide to pursue legal action, have the lawyer or officer contact us at privacy@facebook.com, and we’ll provide more information about the process.
I was also advised (rather unhelpfully) that I could also check whether there were any messages in my Facebook Inbox or Wall that might reveal who the hackers spoke to. Clearly Facebook were not going to lift a finger to help me determine whether any my my friends (that is, other Facebook users) fell victim to this criminal activity perpetrated via their service.
Not Over Yet
Unfortunately, the saga wasn’t over yet.
Once my Facebook account had been suspended, the Support team sent me an email asking me to verify my identity (i.e. that I was the original owner of the account). They did this by asking me to answer a security question that was posed during the original account creation process. Having confirmed my identity, they issued me with an email containing instructions on how to reactivate my account.
I did not want to reactivate the account until I had received some answers. Unfortunately, the hacker had other ideas.
That evening, I received still more calls. The hackers were active on my account. After it had been suspended. Before I had reactivated it.
I immediately fired off an email to Chris Kelly asking what was going on. The account was promptly suspended again. But how did the hackers get back in?
The Support team suggested my PC might be infected by a Trojan program or some similar malware, which allowed the hackers to see my email. Multiple scans via several different tools and online security services indicated my PC was clean.
They also suggested that somehow the hackers also knew my email account password (I used a GMail account as the contact point for Facebook). Possible, I suppose, but very improbable.
Facebook are yet to provide me with an explanation of how the account found itself reactivated, and who reactivated it. Presumably they have IP address logging capabilities and could easily determine where the reactivation request came from.
Media Attention
My email to Prof Farber’s Interesting People discussion list took on a life of its own. It was republished in Risks Digest as well as on the Wired magazine blog, under the amusing title of Kidnapped on Facebook.
As a result, I was contacted by a number of journalists and media outlets in Australia and overseas, who ran stories on the hacking event. Within hours of each article appearing, I would receive emails from other victims of similar incidents who were also unable to get any response from Facebook. I pointed all of these people in the direction of Chris Kelly, and most replied indicating that soon after making contact with him, Facebook was quick to respond.
(If any one reading this is having similar difficulties with Facebook, please contact me and I will put you in touch with Chris)
Does Facebook Owe a Duty?
One of the people who contacted me for assistance made the observation that he doesn’t “blame” Facebook for the lack of support, given they provide a “free” service.
Complete claptrap.
Facebook’s service isn’t “free”. Users pay for it by giving Facebook access to their personal data (which they data mine for commercial purposes), and by giving attention to the (targeted) advertisements that Facebook generates as a result. We “pay” by paying attention.
In this day and age it is simply unacceptable for Facebook to have such a pitiful incident response infrastructure. If it’s “virtual” members were citizens, Facebook would be a sizeable country. It is the custodian of private data for tens of millions of people, and that data is all too frequently being misused by criminals.
I would argue that Facebook owes a fiduciary obligation to its members to take a more proactive stance than they have to date. It certainly should immediately upgrade the infrastructure and processes that it has in place for dealing with criminal activities and identity theft.
I am still awaiting a detailed response from Facebook to my questions. I don’t hold high hope of receiving any.
Posted in Culture, Media
|
Email Post
|
|
Help others find this article at:
del.icio.us Digg Furl Reddit Google Technorati
- Previous post in Culture:
Mimicking bacteria - strategy for success? - Previous post in Media:
Major Media Failed the 2008 'Online Election'
- None
January 28th, 2009 at 11:44 am
What an ordeal - and a pretty scary one at that. I agree that there has to be more accountability. Same goes for Google who own a large chunk of my online life - if there is ever a problem there is no Australian contact to get in touch with, everything goes through the U.S.
January 28th, 2009 at 12:08 pm
Wow, really interesting read, even scary.
Not good enough on Facebook’s part though.
January 28th, 2009 at 12:51 pm
Hey Mark,
Maybe you could start a #myfacebooknightmare on Twitter and see if you can create a bit of a ground swell, might not matter but a bit of social pressure never hurt
Ed
January 28th, 2009 at 1:27 pm
Mark, stop your crying!! You sound like a little school girl. “My Facebook Nightmare”, Very over dramatic, but I suspect if you had nothing better to put in the blog this time, it would do. These things happen. Its a risk we all take. So stop belly aching and Blog something interesting or just miss a turn. Regards John,
[My reply]
John,
Thanks for you comment.
I try to live by the ‘take responsibility’ mantra and avoid the ‘victim mentality’. I don’t believe I was being a victim.
At all times I took ownership of the problem. I tried to find out how to report the problem through Facebook’s channels. I waited for them to respond. Unfortunately, I wasn’t reporting a “past” intrusion - it was an on-going intrusion, and for all I knew, people (my friends) were falling victims to the scam as it unfolded over several days. So I took proactive efforts to get Facebook to respond.
My complaint is that Facebook made me do that.
Facebook, you may recall, valued itself as a US$200 billion company. Facebook *encourages* people to post their private data (it is essential to their business model of using said private data to segment its audience into targetable, commercially attractive recipients of advertising). It also promotes itself as a platform for other businesses who want to leverage (for a fee) their audience data to develop and deliver other applications and services.
Facebook clearly understands it represents a highly attractive ‘honeypot’ for would-be criminals and scammers (why else appoint a Chief Privacy Officer?).
Facebook was investigated by New York Attorney General Andrew Cuomo in 2007 for allegedly responding too slowly to user complaints. It settled that case, and (as I understand it) one of the terms of the settlement was that they would respond to all complaints/alerts within 24 hours - something they clearly did not do in my case (and in the many similar cases recently reported on several media sites - including NineMSN, MSNBC, and the New York Times - by other victims of the same scammers).
If taking Facebook to task for failing to discharge their obligations to their customers - both contractual and court-ordered - gives the appearance of “crying…like a little school girl”, so be it.
Mark
January 28th, 2009 at 1:42 pm
Crikey. Sounds scary and yes big FAIL from Facebook on a number of fronts. They need more people on the ground - I understand they still don’t have anybody in Australia. Hopefully they’ve learnt a lesson for the Crisis Management 101 internal training…
January 28th, 2009 at 2:37 pm
Gmail has a security flaw. Check if the person changed the settings in Gmail to forward the emails to another address.
January 28th, 2009 at 2:58 pm
I was contacted by one of my Facebook friends, he claimed to be stuck in London and robbed etc. - I’d been told it was a scam, and Facebook make it really hard to report. They said they couldn’t do anything about the fact that my friend’s account had been hacked. It was quite annoying. I normally would have just ignored it, but it was pointed out to me that the scammers might try to contact others on their friends list and scam them, so I did report it. Or attempt to, at least.
January 28th, 2009 at 3:49 pm
Shit mate. That’s awful. The loss of control is the worst part.
I guess that could happen to Skype or other IM apps too.
One good rule is to ask the person a personal question that only they would know.
Thanks for the warning though.
January 28th, 2009 at 4:00 pm
Wow… interesting story, cheers for posting.
Totally agree that Facebook needs to improve their service, drastically. I had an issue with them last year when they took down a high-profile Fan Page that I had created on behalf of a client. They removed it without any explanation or warning to me, and it took weeks of emails before I get any response, and even longer before a resolution.
I dread the next time something goes wrong, because they are extremely unhelpful and it really feels like there’s nothing you can do about it.
January 28th, 2009 at 4:04 pm
Brand. Reputation risk. It takes ages to build and only a short period to destroy. A good lesson for companies that reduce their direct intactions with customers… ever tried to report a bug to Microsoft? Hopefully Facebook and others are reading this blog and learning from it.
On a side note about identity theft, I’ve always been nervous about the idea of Facebook asking for and displaying your full date of birth. I’m really surprised there’s not more identity theft as a result of this - it’s key data for identity thieves. When in doubt, delete your year of birth or change your date of birth altogether I say.
Thanks for sharing Mark, it’s often only when people hear real cases that these risks become tangible.
Todd
January 28th, 2009 at 4:33 pm
[...] with a phone call, around 7.30pm on January 14th. A concerned friend was calling from interstate. Here’s how Neely describes the correspondence. “Mark, where are you?,” he [...]
January 28th, 2009 at 4:43 pm
Hey mark that is one heck of an ordeal!
I assume to your knowledge none of your friends did full for the hacker’s story?
I have had a Gmail account hacked last summer 08. Its password wasn’t exactly easy, no one else knew it for sure, it was something totally random made up with both letters and numbers, so Gmail definitely isn’t perfect either
In my case luckily I caught it immediately as the hacker sent out a spam email to all the contacts which I received immediately myself in another email account of main. Luckily I was able to login immediately, change the password and email an explanation email out to all contacts right away.
I guess I was lucky.
In regards to the IP, if these guys are as sophisticated as they seem you can bet they’d be using proxy servers to hide their identity so I doubt Face book could get their true IP.
It’s amazing what companies like face book, Google, PayPal etc get away with when it comes to contact info and response.
But I guess it’s the idiots (sorry but I’ll be frank in the case of people like this) like the John Barnett of this world that seem to think this kind of thing is acceptable, that help these companies to continue to get away with it.
I’ve taken note of your email, just encase, thanks. Unlike some, I feel your post was an eye opener and something everyone should read. I’ll be twittering it out.
Thank you very much
Jayen from Spain
January 28th, 2009 at 5:34 pm
Thanks for publicizing this. Not sure what you can do if Facebook security is lax. Having a strong password may be some security.
I have just added the Facebook FriendCSV application and downloaded my friend details - at least this way I would be able to find all friends and warn them in the tragic event of having my account hacked this way.
January 28th, 2009 at 5:44 pm
first of all I think John Barnett sounds like a complete nob.
Back to your story, very much appreciated and it guess it would help if we all changed our passwords more often.
cheers
January 28th, 2009 at 6:36 pm
That’s a real bugger, Mark. I hope none of your friends got caught. I can only imagine how stressful that would have been.
I went through a similar hunt for contact details at Facebook, though, when trying to close my account. I ended up emailing privacy@facebook.com with my support request. I’m pretty sure it *is* the only email address listed on the site anywhere.
Somewhat interestingly, my replies come from that same address (with a + suffix) and are labelled as being from “Facebook Support”. I guess they only have one email address?
January 28th, 2009 at 6:38 pm
Whoa! I can actually feel how tensed you must have been. Do you suspect KeyLogger? Was your password very easy? Anyways,you are lucky to have soo many concerned friends
January 28th, 2009 at 8:44 pm
The banks and credit card companies have had to set up systems to deal with cyberfraud and account hacking - and they’ve done a pretty good job.
Facebook could take a few lessons from them.
January 29th, 2009 at 6:42 am
Geez it almost persuades me to delete my Facebook account rather than risk my friends getting caught up that sort of scam. That would be completely frustrating, not having anyone help you.
The whole thing about “You don’t pay them anything so they’re not obliged to provide any support” is, as you say, complete bullsh*t. They should provide some sort of emergency response team - whether contactable by phone or at least within 15 minutes of receiving an email from a user.
January 29th, 2009 at 7:11 am
[...] Out For Scammers Asking for Money on Facebook Wednesday, January 28, 2009 “My Facebook Nightmare” by Mark Neely is a play-by-play account of how a scam artist hacked the author’s [...]
January 29th, 2009 at 9:34 pm
Anytime a problem gets solved only when a bigwig steps in demonstrates an infrastructure with insufficient manpower to handle security and customer service issues. This whole issue is probably much bigger problem than we realize and it seems like it is fueled by a lack of meaningful support from the company. In this way, yes, the company is culpable.
January 30th, 2009 at 1:30 pm
Thanks for posting this informative story. It is truly scary.
“The Support team suggested my PC might be infected by a Trojan program or some similar malware, which allowed the hackers to see my email. Multiple scans via several different tools and online security services indicated my PC was clean”.
It’s unlikely in my opinion, but but is a possibility because you will find that with those types of virus they can easily elude several types of specialist scans, and even if eventually located, are essentially undeleteable. My advice to people is always, back up all your data thoroughly, completely wipe your computer, and start over with a re-install. It’s the most effective, most efficient way to deal with it.
January 31st, 2009 at 11:59 pm
Oh man, I hope the newspapers give this story light of day! And it’s some times really convenient of websites owners to “blame” your computer or your lack of security.
February 3rd, 2009 at 3:05 am
Hey,
same thing is happening to me right now. Can you PLEASE send me Chris’s email address? My friends are all thinking I’m stuck in London and someone is trying to send me money. I’m afraid she will get scanned.
February 8th, 2009 at 12:20 am
I have great sympathy for your troubles and hope that enough dust is stirred that this company gets their come-upence.
All too often we find the individual is trampled and forgotten by corporations. Now that we have cyber companies there are so many grey areas.
It seems people at both ends of the phone line feel if the other guy can’t be seen then it the crime can’t really hurt.
Facebook are just as criminal for not taking responsibility of your security as the guy is for abusing it. Their slackness proves this. They have a flawed system and they don’t want their millions of customers to know it. Keep pushing!
Good luck
Goee
February 8th, 2009 at 1:42 pm
[...] the latest Facebook scam here. Social networking sites don’t care about you or the safety of your [...]
February 10th, 2009 at 4:07 am
well mark i agree with you. facebook failed dismally in its duty of care, customer service and securety sevice. pretty unprofesional for a muli milion dollar company. i was about to sign up till i read your blog. i simpathise for your ordeal and thank you for your warning.
it’s just another example of a corperation being more concerned about the $$$$$$$ and not the service.
February 14th, 2009 at 3:37 pm
How do I deactivate my account I am trying unsuccessfully for hours
Thanks
February 23rd, 2009 at 1:37 pm
sounds like Facebook made the same mistake that Google made with their Chrome (web browser) end user license agreement
February 28th, 2009 at 12:20 pm
What does Facebook matter? If it was your Paypal account or WoW or something important, I could see the concern. Whatever, it was Facebook. Just a glorified mailbox. Tell your friends, get a new account, problem solved.
No one cares.
March 3rd, 2009 at 12:38 am
Facebook is retarded, and so are you for getting so bent out of shape about it.
March 3rd, 2009 at 6:03 am
To check if your Gmail account has been hacked, keep an eye on what IP addresses connects to it. You have a link to the account activity at the bottom after logging in.
March 3rd, 2009 at 12:39 pm
i dont have time to read the comments, but i read the article, and not sure if you are aware of this already, but gmail logs which ips log into your account. if you only log in from one computer, checking that will give confirmation its only you who has the password. it also says when the last time you logged in was, so yeah, just fyi.
March 4th, 2009 at 8:57 am
your security problems are more likely tied to your gmail account, I have read elsewhere that there is a security flaw in gmail that allows someone to forward emails to them and obtain personal information.
March 5th, 2009 at 1:28 am
There was a known issue with gmail that caused a hack that would redirect emails sent to gmail to another account and never show up in your inbox. Something like that could have happened. What an ordeal.
April 9th, 2009 at 12:04 am
Hi Mark,
Thanks for your story, a similiar thing happened to me except the person knew me. They used my family member’s names to threathen my friends on Facebook I got the exact same response (same wording)from Facebook, they must send the same email out to everyone.I would love to find out who the person is. They also got my telephone number from Facebook and are sending me strange text messages. I went to the cops but they said they couldnt do anything. I have my suspicions of who it maybe, but i have no way of proving it. Facebook should surely would know the IP address of where the messages were sent from? Anyway thanks again. Facebook is a joke.
April 10th, 2009 at 1:18 am
i have a feeling that writer JOHN BARNETT actually works for facebook.
April 23rd, 2009 at 12:35 pm
Just a suggestions, if the hackers had access to your GMail account, it would be a simple matter to take over your Facebook account as well if you use it as a point of contact.
April 24th, 2009 at 1:18 pm
What is with people and facebook and twitter and all that garbage. Nobody cares what your doing 24/7. If anyone is dumb enough to fall for the “I’m stuck in (insert country here) and I need cash” scam they deserve to lose their money.
May 30th, 2009 at 3:44 pm
Dear Mark,
Linked to your story on my Facebook account- sorry for all your trouble, but thank you for holding your ground.
September 30th, 2009 at 6:02 am
Facebook just made a post about their efforts to fight this thing:
http://blog.facebook.com/blog.php?post=142604447130
October 22nd, 2009 at 8:38 pm
These “social networking” sites are among the most useless websites I’ve seen.
Such incredible drama comes from being in contact with every single person you know at all times.
Also, keyloggers are much more common than hackers.
December 13th, 2009 at 10:23 pm
I enjoyed reading your story, I cant say I have had that happen but I have had issue with facebook. I noticed that an acquaintance posted photos of my child on her facebook account. I asked her to take them down, her response was to block me.
I contacted Facebook to express that I wanted these photos removed. I am the mother and wish to protect my child. I strongly disagree with posting photos of children on the internet. After waiting for ages for a response.. Facebook told me to get a court order.