In today’s article, Intersections’ Consumer Security Adviser Neal O’Farrell writes a follow up to a very disturbing Facebook scam that we reported about last November.
This week, I thought I'd revisit a case I talked about a few months ago, in part because the accused actually plead guilty and so we can talk about the case in more detail. But also because it was such a troubling case and one that revealed that Facebook scams and hacks can be far more sinister than we imagine.
This particular case highlights a growing threat, where your Facebook profile is simply the means to some dark end. According to California's newly appointed Attorney General, 23-year-old George Bronk recently plead guilty to a variety of charges that should send him to prison for many years. And his crime spree took advantage of a very obvious loophole in Facebook — one created by users.
According to the indictment, Bronk would trawl Facebook pages looking very specifically for the profiles of women that included their email address. No matter how many times we've cautioned against it, many Facebook users still make their email address open to everyone.
Once he found a Facebook profile that included an email address, his next step was to contact the email provider, pretend to be that user, and get access to their email account. But in order to do that he would have to answer the security questions selected by the legitimate user.
And where did he find those answers? He found them in the Facebook profiles of his victims, of course. Not only were his victims sharing their email addresses with complete strangers, they were also innocently revealing the answers to their email security questions by simply talking too much on Facebook.
According to the indictment the common security questions posed by e-mail providers included, "What is your high school mascot?" "What is your father's middle name?" "What is your favorite food?" and "What is your favorite color?" Bronk was apparently able to find most of the answers in the victim's own Facebook comments.
Once he was able to access a victim's email account, he could then change the password and lock them out. And because he now had control over the victim's email account, he was also able to access their Facebook pages. All he needed to reset their Facebook password was to have a new password sent to their email address. The very email address he now controlled.
And with that email control, his motives became more apparent. What he was really after was not their email communications or personal information, but very specific content that he knew many email users might keep - nude, semi-nude, or otherwise embarrassing photos that the victim might have emailed to other people.
Armed with these embarrassing photos, Bronk would then launch the next phase of his attack — extortion. He would contact the women whose embarrassing photos he had managed to access, and would demand they send him even more explicit photos in exchange for a promise not to publish these photos or send them to the victim's entire email list; a list which could obviously include parents and other family members, employers, customers and many others. And that threat appeared frightening enough for at least 46 victims to comply with his demands.
Over a period of a little more than a year, Bronk is believed to have targeted women in 17 states and even in England. When police raided his home, they found more than 170 files containing explicit images, as well as the personal email addresses of more than 3,000 women whom he had either been researching or already had targeted.
This seedy case highlights how the basic hacking of email and Facebook accounts can be a simple precursor to far more serious crimes - in this case sexual extortion. And it's such an easy crime to pull off, I can't imagine the damage it might do to a young teenager who may not take security and privacy very seriously, might not exercise good judgment in the types of photos he or she might keep on Facebook or exchange by email or by phone, and might be more easily persuaded into complying with the sick demands of a criminal like this rather than risk having their parents or classmates find out about these images.
It also shows just how easy it still is to spoof Facebook and email providers, especially when we're still relying on the answers to simple questions that in an age of global connectivity, just about anybody can find the answers to.
The California Attorney General's office did offer some useful advice, like picking security questions and answers that are not public knowledge. But as users, we rarely get the option to "create" the security questions we're asked.
But the most important option you have to protect your identity is to minimize the amount of personal information that we post about ourselves, anywhere.
Read the full warning about identity theft from California Attorney General Kamala D. Harris.