Communication sophomore Emily Hoffman was reveling in the tropical climate of Cancun over Spring Break — until she decided to check her Facebook profile on her mother’s cell phone.
Fifteen friends had posted on her wall to tell her that someone was using her account to post spam, luring people to click on promotional links.
She could only change her status from the cell phone, so she texted her friend, who told Facebook that her profile had been hacked as part of a “phishing” scam. The scammer had access to her account for ten hours, until Facebook changed the password.
“I believe all phishers and hackers can go directly to hell,” Hoffman said in an interview last week. “Do not pass go, do not collect $200.”
Typically a scheme delivered by e-mail, users at Northwestern and other schools now report that phishing — using deception to get users to divulge their passwords or other sensitive information — has hit Facebook. Technology blogs such as TechCrunch have collected similar stories from around the Web in recent days.
Phishers try to entice people into entering personal information into a Web page, such as a Facebook log-in screen, which appears legitimate but actually turns over the information to the scammers, granting them access to user accounts or other private data.
As a new intruder to Facebook, phishing is dangerous and effective, said Griffin Hammond, a graduate teaching assistant at Illinois State University and the creator of the Facebook group “Phishing Scam Awareness.” He fell for the same trick that Hoffman did.
“I feel we are used to phishing via e-mail,” he said, “but via Facebook, coming from a friend of yours, you don’t get a bad eye for it because of course you trust your friend.”
Here’s one of the messages that has been circulating Facebook’s networks:
Hey, I got a new facebook account. Im going to delete this one, so add my new profile!
Hammond said he created the group after he logged into a page he thought a Facebook friend had sent him. When he realized that the URL was fake, he changed his password and informed Facebook about the scam.
Because of the many connections each user has on Facebook, any successful phishing attempt could rapidly compromise thousands of accounts, Hammond said. It “can spread like wildfire if people are unaware of the scam,” he warns people in his group.
Though it did not return requests for comment on this story, Facebook is a new battleground in an established Internet industry. Identity theft and financial loss from phishing attacks have surged in 2007, according to a survey by technology-research company Gartner, Inc. In a 12-month span ending in August 2007, 3.6 million adults in the U.S. lost $3.2 billion to phishing schemes. The year before, 2.3 million people had fallen prey to phishers.
Phishing has come to Northwestern in other ways besides Facebook. On March 12, NUIT sent out a security alert about a phishing attempt on the university’s e-mail accounts. The message claimed to be from “Support Services” and asked users to verify their Webmail account.
Illinois State University has been the target of those types of phishing attacks too, Hammond said.
McCormick sophomore Anda Bereczky fell for a similar, if more benign, trap in Winter 2007, when a classmate from her public-speaking class tested phishing’s effectiveness by sending every person in the class an e-mail, asking them to follow a seemingly legitimate link and enter their Facebook log-in information. It worked on her, Bereczky said.
Since Spring Break, Hoffman said she has altered her habits. She will change passwords more frequently, avoid third-party Facebook applications and be more vigilant about her information on the Internet, she said.
“If you know about it, it shouldn’t happen to you,” she said.
Since phishing schemes collect private information, the best way to recover from a scam on Facebook is to immediately change your password and report the issue to privacy@facebook.com, Hammond said.
Though it’s at least the second time this year that phishing attempts have hit Facebook, the company hasn’t mentioned the scams on its blog or otherwise notified users.
“I think Facebook can do a little bit more,” Hammond said. “I feel it should really have a security page devoted to this, where people can report scams and learn about the scams.”
Built-in phishing filters in browsers can alert users to suspicious sites, Bereczky said. “It’s automatic so you don’t need to constantly train it to recognize fake URLs.”
But Hammond doesn’t rely on browsers to catch phishing scams — he said that the key is to recognize fake URLs: They may include “facebook.com” in the address but will end in a different domain, such as “www.facebook.com.profile.php.id.371233.com.” Users who click on a link like that will be taken to 371233.com, not Facebook.
“We want to think that only gullible people fall for phishing,” he said, “but I think on Facebook everyone can fall for it.”