Slashdot Mirror
Russian Hacker Selling 1.5M Facebook Accounts
Sir Codelot writes "A hacker who calls himself Kirllos has obtained and is now offering to sell 1.5 million Facebook IDs at astonishingly low prices — $25 per 1,000 IDs for users with fewer than 10 friends and $45 per 1,000 IDs for users with more than 10 friends. Looking at the numbers, Kirllos has stolen the IDs of one out of every 300 Facebook users. Quoting: 'VeriSign director of cyber intelligence Rick Howard told the New York Times that it appeared close to 700,000 had already been sold. Kirllos would have earned at least $25,000 from the scam. Howard told the newspaper that it was not apparent whether the accounts and passwords were legitimate, but a Russian underground hacking magazine reported it had tested some of Kirllos' previous samples and managed to get into people's accounts.'"
Looking at the numbers, Kirllos has stolen the IDs of one out of every 300 Facebook users.
Translation: it might not be a bad time to change your password if you use Facebook.
My work here is dung.
I can increase the size of my friend network and be the biggest star on the net!
... to become a new man.
wow that sucks.... *changes FB password just incase*
Facebook is so passe, move on.
What is going to happen to my beautiful farm :(
I'm suprised they are not worth more since they represent a great point of entry for social attacks. Think Personalized spam (i.e. "Hey John, I think Laura wanted you to buy this for the concert you are attending next week"), targeted dictionaries, localized phising (i.e. location data deploys phising to compromised machines near you). Once you break a single friend in the "network" you gain additional information to everyone in that scope, so the return on entry is very promosing. An attacker can begin profiling ideal targets in the guise of friends. Ah, so many possibilties. Such a gold mine.
Trying to install linux on my microwave, but keep getting a kernel panic...
Hmm, maybe 1 out of every 300 Facebook users' computers is infected with Koobface......
http://news.cnet.com/8301-1009_3-20002112-83.html
According to the Facebook statistics page the average account has 130 friends. If 1 in 300 accounts are compromised and you have circa 130 friends then the odds are quite high that the personal data you have "only available to friends" is going to become available to some fairly unfriendly people shortly.
Reminds me of the evertrue saying 'play with fire and you'll get burnt'. I have always been mindful of the threat FB poses to my privacy and have completely closed down my account several times, but keep giving in and going back due to peer pressure from family & friends. This time I'm killing it off for sure. No organization, be it governmental or corporate should have control over so much of an individuals personal data.
...and yet, time after time, FB users ignored the abuse and kept on using the service. I really have little sympathy for such blatant and above all, stubborn disrespect for one's own security. And for what? To have "virtual friends"? To "keep in touch"? Both friends, conversing and socializing are more fulfilling when done in some of the more traditional ways.
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
...the use of owning 1000 Facebook IDs ? What is the idea ? Who would want it ? I may be dense but appart from spam senders I don't see the use of this.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
I am pretty sure Facebook was going to enable "post-on-behalf-of" for everyone on their next privacy settings revision anyway for extra fun.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Probably because unlike in the US, Russia seems to turn a completely blind eye to cyber criminals. Granted we don't do such a good job ourselves, but we do look for them and prosecute them when found. It's rich that a country with a very serious problem with organized crime would even pretend like there's no justification for pointing a finger back at the lack of enforcement.
It's pretty clear to me that the hacker actually broke Facebook security and stole bulk data. Question is, what is Facebook doing about it? Shouldn't they be chasing after this in some way? After all, it's their service I'm using ...
...Don't hate the players hate the game dawg!
Facebook users aren't security experts, they're family members, friends and loved ones. You remember those, right?
Living in my IT bubble in San Diego it was easier for me to bag on Facebook and 'look down' on it's users but now that I'm unemployed and living temporarily with family I seen how useful it is for them to keep in touch with friends and relatives in a way that letters or email simply can't emulate.
Besides, if we really thought Facebook was that bad instead of bitching about it we'd be the talent pool responsible for creating a better alternative (unless you believe that only venture-funded MBAs can take on such a technological challenge). For instance, I've never liked any of the popular/available dating sites, so what do you think I'm doing while I learn Mongodb in my free time?
Quack, quack.
Ah, cyber crime, the offence of sending ones and zeros down a wire to produce forbidden tones.
To specify, money in a bank is just an entry in a database. Someone fraudulently reduce some entry by $1000 and increase another by $1000? Roll back.
Banks have a problem with the administrative burden? Luckily, mine is owned substantially by the state now, so shouldn't be much of a problem enforcing this.
Pff, I bet I can get those accounts for a couple of bucks, by just asking Zuckerberg.
After all, according to him, there is no privacy. Just make an app or something, and there you have the data.
Man am I happy that I deleted my Facebook account. (Which was, other than the friends list, completely empty anyway. But you know. Friends, photos, messages... that’s already too much.)
Any sufficiently advanced intelligence is indistinguishable from stupidity.
To anyone who didn't get the message yet, there are three rules you should follow:
1) Never use the same password in more than one place.
2) Store the passwords somewhere safe.
3) Use good quality passwords.
Unix fans can generate good quality passwords with: /dev/random | cut -b9-
od -N4 -tx4
or slightly better ones with:
dd if=/dev/random count=6 bs=1 | uuencode -m - | tail -2 | head -1
They're probably just the type of fake accounts I've seen before attempting to friend random people. Most of them probably are female, with pretty photos lifted from the internet. The tipping point for price belies their nature: under or over ten? Real accounts usually have at least over fifty, if not hundreds of friends. That said, this still is a big security issue given the amount of data people's friends can get on their profile, and the proclivity for the younger kids to add anyone who friends them. Of course, a lot of these fake accounts are probably only friends with other fake accounts, and will probably be sold in batches that prevent this fact from being apparent for the first few weeks after a sale.
facebook today told me: "your account was accessed from an unusual place and has been blocked." then i had to do all sorts of things to prove i'm human and it told me to create a new password. i created such a strong password that i have forgotten it. now will have to change it again.
Wealth is the gift that keeps on giving.
What about accounts with no friends?
Are you seriously trying to defend cybercrimes?
Since when does being a Socialist mean 'someone who has a different opinion than me'?
Defending them? I'm just contextualising the problem.
To wit, cybercrimes cause precisely as much harm as your bank/government in your country wants them to cause. It's like spam: you could pretend that you can shut down all spammers across the world at source, or you could deploy education and effective antispam solutions to protect potential victims.
Facebook shouldn't be storing your Facebook passsword, just an hash of it. That's how login systems have worked for thirty years. Doesn't anybody there have a clue about security?
Here in Finland, banks usually provide you with a list of ~50-100 one-time use codes, so it's basically impossible to figure out the next code unless you manage to find some pattern in the random digit generator that the banks use to generate those one-time codes. To me this seems even more secure than using those keypads that most other european countries seem to be using. The only way I can concieve this to be hacked is to figure out what someone's userid is (random generated string, i.e. basically a traditional password), and then intercept their snail mail when they get their fresh set of one-time codes.
What do you do when someone withdraws the $1000? It's then too late to roll back.
Is it just me, or does the summary read like a slashvertisement for the hacker?
"A hacker who calls himself Kirllos has obtained and is now offering to sell 1.5 million Facebook IDs at astonishingly low prices — $25 per 1,000 IDs for users with fewer than 10 friends and $45 per 1,000 IDs for users with more than 10 friends
The reference to "astonishingly low prices" is irrelevant. It's also total nonsense, frankly, and hence relevancy isn't a necessary test - it should be removed from the summary regardless. Even if one assumes that 99% of all Facebook IDs have less than 10 friends -- a fairly unlikely assumption -- then that equates to some US$37,800 to buy the names, around 2.5 cents each. That is by no measure an "astonishingly low price".
(((1,500,000 x 0.99) / 1000) x 25) + (((1,500,000 x 0.01) / 1000) x 45) = $37,800
I'd guess it's more likely the true figure is somewhere closer to $50,000 - $60,000, although I'm not aware of any publicly available figure on the percentage of Facebook accounts with more than 10 friends, so can't calculate an actual cost).
You really think the Russian government turns a blind eye to cyber criminals? That doesn't seem right to me... if the officials aren't on the lookout for criminals, then how will they know who to blackmail for bribes?
I'll never make that mistake again, reading the experts' opinions. - Feynman
...probably some people "deserve" the trouble they attract when using computers. Using an easy login/password combination is something it's not my problem. Maybe illiterate people have this problem, but then "what did they expect" of computers and internet usage? They pretend it to be like turning on a bulb. It works, it doesn't work. I would sincerely propose something like "computer usage credentials certificate". Someone is ALWAYS pretending "using computers is something anyone can do" (ha!)
No matter how easily I explain these risks to my acquaintances, they don't really understand the BIG trouble behind it, and they don't change passwords. When they tell me something like "my hotmail has a virus, please help me". I just ignore them, and/or tell them not to enter onto those silly webpages mean't to steal your login password. It's some kind of natural selection. (And Mr. Russian is, "righteously", just rubbing his hands).
I'm starting to be fed of losing my time and my friends'. And the best part is they still are friends with me. (I wouldn't expect less)
Besides, even people like me (for example), who do use "safe" passwords, are in this kind of risk, (lousy webpage programming, plain http login/password negotiation, etc...) but then, having a periodical password change schedule is something NOT SO painful. Besides if your web browser is nice enough (Opera for example), can deal with your passwords wonderfully. .rar archive (to say something), IN CASE YOU DON'T REMEMBER THEM... Again "not a big pain" (at least for me).
Only you have to keep ALL your passwods inside a encrypted
Paranoia with passwords, is something one can learn by conditioning (much like Pavlov's dog), and then you don't realize you're doing these (not so) "boring" routine tasks (like updating your local passwords file, etc...) On the long run, it's really worth its effort.
Greetings
--
Get 250 extra MB Dropbox space using this invitation http://bit.ly/agkF3r
Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet. —Bruce Schneier 2005
No it isn't - it's just that the bank from which physical cash is withdrawn should end up with a net loss. Same thing would happen if I, as an Interweb merchant, sold goods to someone who had used a stolen CC - the $ would be deducted from my account and I'd have just given away free goods.
Cybercrime affecting some guy across the world and/or his local bank then becomes real theft by a Russian resident from a bank in Russia. Watch the Russian government suddenly take notice.
My facebook account was recently breached and I'm not sure how they obtained my login credentials. The attackers invited all of my friends to take part in a fake iPad giveaway. The message from my account informed my friends that a friend of mine had won an iPad last week and that they should all enter the contest. All evidence of this was then scrubbed from my account. I was only notified after a few of my friends sent me email asking about the contest.
Luckily, I don't use the same passwords for all accounts but I imagine they would try to access the email accounts linked to my facebook credentials to send personalized spam or attack my bank / paypal accounts.
the only way I can conceive this to be hacked ...
Always a dangerous statement - just because you can't think of an attack doesn't mean there isn't one.
You are correct that no one is going to guess the next one-time password. Instead, they are going to attack your machine, and piggyback on your session after you have logged in. This is happening in the wild today, although it's mostly aimed at larger commercial accounts.
Those keypads are more secure because they can be used to enter unique data for each transaction, like the amount of a transfer. Plus, they aren't connected to a network, so remote hacks are blocked. The keypad's generated code will definitively prove that the holder of the device entered the transaction data(*).
Obligatory Schneier reading: http://www.schneier.com/blog/archives/2009/09/hacking_two-fac.html
(*) The most likely attack against devices like this: the key stored on the bank's server. But it's just a single target, so it is easier to harden.
Not hard to do, considering 90% of Finland doesn't lock their mail boxes. My bank restricts my password length to 6 characters I think, so even with a random 4 digit code from a list of 100 it's still not that safe. Too much reliance on hard-copy data and not enough on a person's common sense. Changing your main password whenever you get your new set of codes, is probably a wise option. Now, I have a couple of bank accounts in the UK, and they tend to follow the pattern of huge password, security questions (which most people with common sense don't actually answer as the real thing. All this tied up with a password safe thing itself with a password that is easy to remember :)
No system is without flaws, and the human side is where the faults will mostly occur. Just use your head and you'll be safe.
"The world isn't run by weapons anymore, or energy, or money. It's run by little ones and zeroes, little bits of data. It's all just electrons." --- Can't actually remember where that is from :(
The slashvertisement would have been too apparent, had the story been suggested by myself. ;)
I am so happy no one knows happygilmore45 except the ones i tell, and then i only put fake info, if they know who i am,
they dont need to read about it. No pics, no wall, except unless really needed. i'd rather be texting anyways, then facebooking....is that even a word???
Comment removed based on user account deletion
Cosmo, from the movie Sneakers with Robert Redford.
CAn'T CompreHend SARcaSm?
...when i get those annoying Facebook invites. Maybe a few of them will realize I'm not being anti-social for the sake of being, well anti-social.
Irony anyone? http://www.telegraph.co.uk/technology/facebook/7635125/Facebook-users-concerned-about-privacy-says-survey.html?state=target
Oh, I'm sorry sir, I thought you were referring to me, Mr. Wensleydale.
To specify, money in a bank is just an entry in a database. Someone fraudulently reduce some entry by $1000 and increase another by $1000? Roll back.
Your "roll back" scenario is probably only reasonably workable if the transaction only involves 1 bank, but doesn't scale to multiple banks. Let's say I hack your account and wire $1000 to my account in a different bank. Your bank cannot just "roll back" because they've already transferred the money. If they just add $1000 to your account but don't deduct it elsewhere, they won't pass any audits. They need to deduct it back from my bank but they can't do that without my bank's cooperation. And my bank will not do so without my cooperation. See the problem here?
If the fraud was your fault (ie, you didn't secure your password or whatever), you probably won't be getting your money back. If the fraud was the bank's fault (ie., their system got hacked), they should credit your account and debit their fraud kitty. Either way, they're going to try and pursue the $1000 and get it back. This requires research and administrative burden.
Banks have a problem with the administrative burden? Luckily, mine is owned substantially by the state now, so shouldn't be much of a problem enforcing this.
Whether they charge your account directly, or take it out of your pocket in the form of taxes... you're paying for the administrative burden. Nothing is free, my friend.
Just dont post any sensitive infomation on facebook and you can continue to stay connected to your family and friends.
Troll is not a replacement for I disagree.
Some body hacked me FB and logged on as me asking my friends for money saying I was overseas and had been mugged. It sounds like it has happened to numerous people. FB has shut down my account because I logged the issue with them, but haven't heard anything about it since- probably because there are so many people affected.
I'm wondering whether Kirllos has already sold the IDs and passwords to the person/people who did this or whether it is another scam?