Researchers at VeriSign’s iDefense division tracking the digital underworld say bogus and stolen accounts on the Facebook social-networking service
are now on sale in high volume on the black market.

During several weeks in February, iDefense tracked an effort to sell log-in data for 1.5 million Facebook accounts on several online criminal marketplaces, including one called Carder.su.

That hacker, who used the screen name “kirllos” and appears to deal only in Facebook accounts, offered to sell bundles of 1,000 accounts with 10 or fewer friends for $25 and with more than 10 friends for $45, says Rick Howard, iDefense’s director of cyber intelligence.

The case points to a significant expansion in the illicit market for social networking accounts, he says. Until now, trafficking in the accounts observed by iDefense has been much smaller and confined to social networking sites popular in Eastern Europe, like the Russian site VKontakte.

“We’re seeing this activity spread over to the U.S.,” he said.

Criminals steal log-in data for Facebook accounts, typically with “phishing” techniques that trick users into disclosing their passwords or with malware that logs computer keystrokes. They then use the accounts to send spam, distribute malicious programs and run identity and confidence fraud.

Facebook accounts are attractive because of the higher level of trust on the site than exists in the broader Internet. People are required to use their real names and tend to connect primarily with people they know.

As a result, they are more likely to believe a fraudulent message or click on a dubious link on a friend’s wall or an e-mail message. Moreover, the accounts allow criminals to mine profiles of victims and their friends for personal information like birth dates, addresses, phone numbers, mothers’ maiden names, pets’ names and other tidbits that can be used in identity theft.

Last summer, Eileen Sheldon’s Facebook account was hacked and used to send messages to about 20 friends claiming she was stranded in Britain without a passport and needed money. Sheldon, who lives in Marin County in California, had recently been living in London, and one friend, believing the ruse, wired about $100 to the thieves.
Other friends smelled a fraud and warned Sheldon, who quickly reported the problem to Facebook. Within a few hours, Facebook took control of her account, though it took about two more weeks before Sheldon was able to regain access. She does not know how her password was stolen.

While the accounts that were compromised and offered for sale could be legitimate ones like Sheldon’s, they most likely also included bogus accounts, Howard said. IDefense did not see the accounts themselves, but the inclusion of many accounts with small numbers of friends suggests the seller created fake accounts, perhaps using an automated tool, and sent out blind friend requests to gather contacts.