James first became aware of the problem when a few friends called him and asked if he was OK. His friends had received a crisis email from James indicating that he and his wife were stranded in the UK after being mugged.  Left without any money or credit cards, but luckily with their passports and their health, they needed a cash “loan” quickly so they could get a flight back to Los Angeles.  But James wasn’t receiving those emails, someone else was.

Researchers at VeriSign’s iDefense group recently reported that up to 1.5 million Facebook profiles were stolen and for sale in the criminal underground. [i] The sale price was reported between $25-$45 per 1,000 user profiles.  According to the article, Facebook did not respond to requests for comment from Verisign so it could be more or less than 1.5M.  Was James’ profile among that alleged stolen batch or did some other thief steal it?  We will likely never know how it was originally stolen but here’s what happened afterwards.

The thief who had assumed James’ identity asked for a Western Union money transfer and provided a UK physical address where “he” would pick up the money.  More on that later.  How much money did they need?  800 British Pounds, or about $1,150 US.

How did the thief get this far into the scam?

1. Thief somehow obtained the Facebook user name and password for James.
2. Thief noted the registered email address for James, the one associated with his Facebook account.
3. James had used the same password for both Facebook and his email account. (a common mistake) Thief tried that password first and was successful in logging into James’ email account.
4. Thief changes both Facebook and Email account passwords, locking James out.
5. Thief opens up a new Yahoo email account using an address very similar to James’ original email .
6. Thief forwards all email from James’ regular email to the Yahoo account.
7. Now thief sends out his distress email to James’ friends, some of whom respond via email with concern.  Some friends call James on the phone.

James feels violated.   He reports the incident to law enforcement. But because it happens every day, is international, and because no money was transferred, it becomes just another statistic, one of possibly millions. It’s a numbers game for the bad guys. Bad guy buys a 1,000 user names for roughly $50, solicits all the friends in those networks (1,000 users times hundreds of friends), and is looking for at least one gullible friend to wire transfer $1,150. That’s a pretty good return on investment if it works just once.

We offered to help James and here are the steps taken to help him recover:

1. James called his email provider and took back control of his email address.  It was there that he found the forwarded Yahoo email address.  That Yahoo address was set up as a throwaway account—just for this purpose.
2. We contacted Facebook to get his profile back.  To our pleasant surprise, Facebook was very responsive (less than 5 hours) and instructed us to fill out a report at this link. http://www.facebook.com/help.php?page=420 Afterwards they would work to restore his profile.  Facebook restored his account in 3 days after verifying James’ true identity,. (Again, a pleasant surprise in turnaround time)
3. Ensured from now on that James uses a different password for each different web site and that his passwords contain letters, numbers, and symbols.  No recycled passwords allowed.
4. Ensured that James checked his bank accounts and credit cards for odd transactions.
5. Requested that James validate his “friends” in the network to ensure nobody new came in while the thief had control.

There are two and possibly three victims to this type of scam.  The first victim is James.  Someone steals his identity and exploits his goodwill and honest reputation among his friends.  The second victim group is James’ friends. As far as we know, nobody actually sent money but some were concerned enough to send emails-where the thief was waiting to respond.  The third potential victim is the owner of the money pick up location.  This is where the thief or accomplice will physically go to pick up the money if transferred, often using Western Union, but not exclusively.  The owner is a potential victim because he or she might not know they are being used by criminals as a pick up spot.  We would like to help this group too.

Here’s how you can help us help them. If you’ve received an email from your friend requesting urgent money and instructing you to transfer cash, or if you have been victimized yourself, here’s how you can help. We have set up a free reporting site where you can report the physical location of the requested money pickup as displayed in your email.  If a pickup address is listed in your scam email, then report it.  As the number of reported incidents grows, some physical locations will begin to emerge again and again.  If you happen to own or manage one of these locations, then you should contact local law enforcement and let them know you are being used by fraudsters as a potential pick up spot.  While investigating James’ pick up spot in Cardiff, UK, we found 2 other victims reporting the same address so we’ve logged a total of three there to start.

Click here to file a report or view the data: http://sites.google.com/site/report419scam/

Original post was at www.InfoSecIsland.com

---

[i] “1.5 Million Stolen Facebook IDs up for Sale – PCWorld Business Center,” http://www.pcworld.com/businesscenter/article/194843/15_million_stolen_facebook_ids_up_for_sale.html