"In the '90s, scammers used e-mail," says Michael Argast, a security analyst at Sophos, an antivirus software company. "Today, it's social networking." Argast explains that although people have been trained not to click on suspicious e-mails, they don't operate with the same sense of caution when presented with a link on Facebook or Twitter. Maybe that's why the number of phishing attacks on these kinds of sites — in which people are fishing for account information, as opposed to infecting your computer with a virus — has skyrocketed recently, from 4,600 attacks in 2007 to 11,000 in 2008. This year doesn't look any better, with 6,400 attacks in the first three months of 2009. (Read "How Not to Be Hated on Facebook: 10 More Rules.")
Like anything on the Internet, Facebook has never been completely scam-free, but its privacy settings may create a false sense of security: most users can't interact with one another unless they are "friends" or belong to the same general network. The site at first glance would also seem less of a gold mine for swindlers since unlike financial websites, which offer access to victims' bank accounts, there is no direct financial gain from hacking into a Facebook account. But the bad guys know that many of us are lazy or forgetful and use the same password on multiple sites. In early 2008, Facebook noticed a marked increase in the number of scams. "We're the most effective distribution platform on the Internet," says Ryan McGeehan, the company's incidence-response manager. "The level of person-to-person connection doesn't exist anywhere else. And as we get bigger, we become a bigger target."
Facebook monitors users' activity, and when someone goes from a few wall posts a week to hundreds of messages within a few minutes, the security team can logically assume that the account has been hacked. They'll notify the user, reset the password, and the whole issue is usually resolved within a few hours. But when thousands of users are hacked at once — and then their friends are hacked, and their friends' friends are hacked — it can take a few days for Facebook to fix the problem. That's what happened on April 29 and 30, when users found themselves accidentally logging in to a website called FBAction.net. Designed to look exactly like Facebook, the evil doppelgänger took their info and hacked their accounts.
When MarkMonitor, an outside security company employed by Facebook, shut down the fake website, the scam popped up again on a different site, FBStarter.com. (It too has since been disabled.) "My guess is this was a pretty organized group of people," says Fred Felman, MarkMonitor's chief marketing officer. Felman says the phishers, whoever they were (Internet scammers almost never get caught), were not using the most up-to-date technology, but their creativity and speed makes him think that they have experience and will probably do it again.
A similar phishing scam established a toehold on the website in January. And last year hackers broke into accounts by convincing people to click on links posted on their profile walls. Another common Facebook scam is to hack someone's account and then send messages to friends asking for money (like the old Nigerian businessman scam, but with a hey-it's-your-old-pal twist).
Facebook won't say how many accounts were compromised last week, but a rep notes that the site has never had a scammer hack more than a small fraction of its accounts, adding that the company's security team — which has more than 100 analysts, engineers and programmers — can handle whatever comes their way. "We're going to be attacked again in the future," says McGeehan, "and my role is to be prepared when it happens."