This is another excerpt from the book I'm writing on technology, terrorism, and my time at DHS, tentatively titled "Skating on Stilts." (If you want to read the excerpts in a more coherent fashion, try the categories on the right labeled "Excerpts from the book." I'm afraid I can't fix the bug in TypePad that prevents me from putting them in the category in reverse-chronological order, but I have started putting chapters up in pdf form from time to time.) Comments and factual quibbles are welcome, either in the comments section or by email: firstname.lastname@example.org. If you're dying to order the book, send mail to the same address. I'm still looking for an agent and a publisher, so feel free to make recommendations on that score too.
One night in January 2009, at about the same time that Howard Crank was sending thousands of dollars to Spain, Beny Rubinstein was getting ready to turn off his computer and go to bed.
Suddenly he got an instant message from Bryan Rutberg, a friend who worked for a technology company. Rutberg’s message got right to the point.
"Look, I really need your help." Rutberg had taken a quick trip from Seattle to London, where he’d been robbed. He was broke in a foreign land. His Facebook page said the same thing, carrying an update that said, "Bryan NEEDS HELP URGENTLY!!!" Bryan needed a loan to get home. Could Rubinstein help?
Rubinstein could. He wired $600. That wasn’t enough, so he sent another wire transfer -- $1143 in all.
In fact, Rutberg was still in Seattle. His Facebook account had been hacked, and the hacker was messaging Rutberg’s friends, asking them all for quick wire transfers.
Rutberg, meanwhile, was locked out of his own account. He tried to stop the imposter by posting a comment on his own page, using his wife's account. Rutberg’s comment was quickly deleted, and his wife was "unfriended.” He had lost control of his online identity to a brazen scam artist.
A couple of days later, Facebook closed down the account, but Rubinstein’s money is long gone. Neither Rubinstein nor Rutberg is a technological naïf. But both were defeated by the mass customization of online fraud. It's not hard to write programs that will look for weak Facebook passwords, or that will send urgent instant messages to the friends listed in compromised accounts. Only when someone responds to the messages do the scammers need to become personally involved. The marks are all prequalified.
Best of all, it's possible for the scammers to get in and get out in hours, then disappear halfway around the world. Local police are helpless; they "are not investigating this case," said a police spokesman. "It is pretty much at a dead end."
As Microsoft has tightened the operating system, hackers increasingly rely on mass social engineering and insecure applications to open a hole in the victim’s defenses. Facebook is of course free, and the company is famous for not having a revenue model to match its massive user base. So it’s not surprising that its site still has security problems. But it’s the social engineering that made this scam work. Rutberg’s friends may not trust strangers who tell them they’ve won the Spanish lottery, but they do trust him.
In fact, the combination of “authorized malware” and targeted social engineering is so powerful that, despite Microsoft’s efforts, it’s now easier than ever to compromise computers, and their networks.