With more than 400 million accounts and an anticipated $1 billion in revenue this year, Facebook's ever-expanding user base is increasingly attractive to hackers. After all, users must include a real name and often share identity-defining information such as date of birth and location.
In February alone, iDefense tracked hacker Kirllos' efforts to sell log-in information for 1.5 million -- or 0.4% of -- Facebook accounts across several infamous, illicit criminal trading sites. Already, Kirllos has sold log-in data for about 700,000 Facebook accounts, iDefense estimates.
For $25, Kirllos supplied bundles of 1,000 accounts with 10 or fewer friends. The hacker charged $45 for a similar bundle of users with more than 10 friends, said Rick Howe, director of cyber intelligence at iDefense.
Hackers typically use phishing techniques to con users into revealing their passwords or to attach malware to log keystrokes. Cybercriminals then use this information to run identity fraud, distribute malicious applications, access bank or other financial accounts, launch denial of service attacks or send out spam.
To protect against phishing, users should create a strong password and avoid clicking on suspect or unknown links, even those provided by real friends, security experts advised.
Although some real accounts are up for sale, many more are fraudulent, said Howe in a published report. Since Kirllos is selling so many accounts with less than 10 friends, it suggests the seller created fake accounts, he said.
Facebook has tools and procedures in place designed to counter the creation of fake accounts, according to a company spokesman. Rapid-fire friend requests in a short time-span and a high percentage of ignored friend requests raise red flags, said Facebook's Simon Axten. The company also looks into reports of suspicious users, he added.
This is not the first time social networking sites have come under attack. Last year, Symantec observed hackers using the Bredolab Trojan -- which downloads password thieves, rootkits and back doors -- to target social networking sites, according to the developer's April 2010 Security Threat Report. Likewise, the Banker.C Trojan was designed to steal private information from social networking sites and online banking, Symantec said.