Reporters and producers at a television station in Baltimore recently found out the hard way that they shouldn't blindly accept Facebook friend requests. Last month, they found that their profiles had been cloned by an attacker who quickly used their network of friends to spread malicious links and ask for money.

Attacks on media organizations' social media accounts have been at an all-time high this past year, including "hacktivist" and state-sponsored attacks on media outlets from the Syrian Electronic Army. But the attack on the staff of WBAL-TV was directed toward staff members' personal accounts. And this initiative was a more workaday one, less targeted at the station itself than the friends, co-workers, and viewers who were connected to the cloned accounts.

Because some of WBAL's staff members mixed their personal and professional social networking together, the attack gave the scammer access to a huge audience's Facebook news feeds. After the attack was discovered, it took weeks for Facebook to shut down the fake accounts.

Target rich environment

Social media has become the new inbox for many people. Many go to the site find out what their closest personal and work contacts are up to and to communicate in a way that used to be reserved for e-mail. So spammers, scammers, and hackers have followed their targets to Facebook and Twitter almost since the services were created.

Facebook in particular has been a magnet because of the amount of personal information the network makes available through "friend" and "like" connections. While the company has made efforts to shut down malware spread through Facebook "apps" and links—even teaming with antivirus providers to stop the most common threats—Facebook remains a goldmine for attackers looking for personal information to mount social engineering attacks.

In WBAL's case, the attack apparently began when a friend request was sent to the personal Facebook account of WBAL's executive sports producer, Chris Dachille. The request appeared to be from someone Dachille knew, so he accepted it. The attacker then scraped images and other information from his account and used it to create a profile under his name. The clone account sent friend requests to Dachille's existing friends, and many in turn accepted.

Dachille was unaware of the doppelgänger until his friends started to tell him that someone was posing as him, sending requests to them for money and posting spam-like links to their news feed.

The attack quickly spread through the newsroom to Dachille's colleagues. WBAL reporter Kerry Cavanaugh had her account duplicated, as did several other staff members. The attacker blocked the victims from seeing the other accounts set up in their names, so the staff wasn't aware of what was happening until others notified them.

Justify your existence

Discovering the problem turned out to be just the beginning. Dachille contacted Facebook through its "report abuse" link and customer support. Around the same time, Cavanaugh reached out to me to understand what the risks associated with the attack were, and I tried to contact Facebook about the matter.

But no action was taken until WBAL contacted the Maryland Attorney General's office. That, in part, was because of the difficulty of distinguishing a fraudulent account from a real one. Many legitimate accounts share a name with another user, and the level of detail in their accounts made these clones seem genuine. Cavanaugh told me that the duplicate account had even filled in a birthday that was close to the date of her own—information she hadn't provided in her original profile.

A company spokesperson responded to WBAL's inquiries with a written statement on Facebook's policies—essentially pointing the finger at the users themselves. "Facebook is constantly developing new tools to help users tighten their security settings and educating users about best safety practices," the statement read. The spokesperson went on to provide a list of best practices to protect personal information that included tips to "vet every friend request" and "beware of suspicious e-mails with misspellings, typos, multiple fonts, or oddly placed accents."

Fortunately, no one at WBAL clicked on the links in the news feed posts from the fraudulent accounts—mostly because they were so poorly written. They were composed in broken English and it was obvious (to staff at least) that they hadn’t come from the people the accounts purported to be. Sadly, the same wasn't always true for people outside the organization, including viewers who possibly followed those accounts inadvertently.

The weakest link

Facebook offers a verified identity service for "pages"—the accounts created for businesses and public figures to maintain a separate identity in Facebook from their personal presence. Twitter only offers its blue check mark to a select few users (such as celebrities, public figures, and brands—recently including Ars Technica staff members). So there's not much normal people can do to assert their digital identities on these social networks within the networks themselves. The best defense seems to be connecting with others personally to verify "Yes, that's me."

The problem is that nearly everyone on Facebook or Twitter is connected to someone whose awareness of things like click-jacks, phishing, and identity fraud is limited at best. And most people assume this is something that won't ever happen to them. I've fended off a number of Facebook scams myself that were launched at me because my 71-year old father clicked on a link someone posted to his news feed. And he's received spam messages purportedly from me—but from different e-mail addresses—as well as from accounts claiming to be other Facebook friends. Most of these contain phishing links aimed at digging deeper into his personal information or perhaps installing malware.

Using personal social media for work, however, magnifies the impact of a bad click. The links sent to staff members by their coworkers' doppelgängers were not available for analysis. Facebook took them down before I was able to look at them. But based on their description, they could have done a lot more damage to the station than confusing relatives—they appeared to be to malicious websites that could have infected the station's network with malware.