Clone Wars Revisited – Facebook Friend Requests

Caveat: while I spent over 30 years in IT security, and though I often wrote about Facebook’s failings in that area over that time, I don’t have intimate knowledge of its inner workings, or foreknowledge of changes in its policies and interface. So, while I hope the following notes will be more help than hindrance, and I certainly won’t knowingly give information or advice that may be misleading or harmful, I can’t guarantee its accuracy in all respects. Nor can I promise to offer help with individual attacks and problems.

That said, I regularly see that friends on Facebook have had their accounts either cloned or hacked, and perhaps it’s time to revisit the topic, even if no one’s paying me to do so.

Cloning Versus Hacking

Usually, when people get invites to be Facebook friends from people with whom they’re already Facebook friends, it’s probably a case of cloning, rather than hacking: the bad guys don’t need to hack an account to clone it.

Cloning is simply setting up an account that looks like someone else’s: if the victim’s profile information (photos, personal data) is easily available to the cloner, the fake account may look very similar indeed to the real account with no need to hack: however, the more restrictive your privacy settings, the less convincing the cloned profile is likely to look. If the fake account looks nothing like the real one, it suggests that the cloner didn’t have access to it, but there are hypothetical scenarios in which the attacker might not want to make the resemblance too strong.

Sending in the Clones

The most common symptom of cloning is that people already on your Facebook Friends List suddenly start getting invitations to connect to a different account that is apparently yours. However, if that’s the only suspicious symptom you see, that doesn’t prove conclusively that your account has just been cloned, not hacked. In theory, an attacker might do both. What’s more, as more people become aware of the cloning problem, cloning could be used as a stepping stone towards account hijacking.

Hack Attack

Hacking, in this context, suggests that the attacker has somehow managed to get the same access to (and control over) your account that you do. This is probably (but I don’t have exact figures) far less common than cloning, since it’s more effort for much the same results – that is, acquiring the ability to exploit you and your friends. But that doesn’t mean it doesn’t happen, or that cloning doesn’t matter.

Here’s how you can get some reassurance that you haven’t been hacked (it’s absolutely not cast-iron proof of invulnerability). This is how I do it from my laptop browser: unfortunately, it’s going to be different on a phone, tablet etc., maybe even differing according to model and OS, but as I’m no longer in the security business, I don’t have access to an infinite number of devices on which to check this out. And yes, there’s a good chance that Facebook will change this procedure sooner or later, but this should give you an idea of where to look. Right-click on your profile icon, at the top left of your home page. Clicking on the ‘Settings and Privacy’ option should take you to your account setting: click on the ‘Security & Login’ option in the left-hand column. There should be a section that tells you where (approximately) you’re logged in (including the device and application) now, and the same information for your most recent sessions. If there are logins and devices that don’t make sense to you, you have a problem: if not, you hopefully don’t. If you see a current login on an unfamiliar device or at an unfamiliar location, you may be able to log out all devices (not just suspicious device, as far as I can see, log back in and change your password before the (presumed) attacker can react.

There are a number of other useful options on that page including:

• Check your security settings
• Change your password
• Choose the devices on which your login information is saved
• Implement two-factor authentication
• Review the devices that are currently pre-authorized for login
• Get alerts about unauthorized logins

And yes, those may change… But they do offer some protection against hacking. You might also consider additional, more generic measures like not using the same password on more than one site; revealing as little information about yourself as possible on the internet to reduce the risk from data aggregation attacks (whereby an attacker gets your data from a variety of sources); being conscientious about installing security updates, and so on. While you can’t get 100% protection from all security issues – leakage of your data from a breached website you don’t control, for instance – you can certainly reduce those risks with due diligence.

Does The Difference Matter?

I often see cases where an account has probably been cloned but when they warn their friends that they’ve been cloned or attacked (they often assume they’ve been hacked), the post attracts recommendations for people (or self-described hackers!) who can allegedly help them recover a compromised account. These comments may be well-meant, but they may not: even if they are, they may be recommending services provided by people who are not so goodhearted. Bear in mind that if a self-described hacker seems to assume that a cloned account is evidence of hacking, the chances are he’s either incompetent or has malicious intentions. This is a possible scenario in which simple cloning is used as an intermediate step towards acquiring illicit access to a cloned account, by persuading a cloning victim to enable a scammer to access the real account.

Attackers do need illicit access to change your email address, password, name or birthdate, or to send messages/put up posts/put up ads from your account (as opposed to looking as if they came from your account). However, if you’re able to change your password – not a bad idea even if you’re pretty sure you haven’t been hacked – that doesn’t prove your account wasn’t hacked – the attacker is likely to think that s/he’ll get more mileage from the compromised account if you don’t realize it’s been compromised.

So Does Cloning Matter?

Maybe not to you, depending on what information the cloner managed to get from you. But it exposes your friends, especially those who aren’t as careful as they might be about who they befriend on social media, to the attention of scammers. Some people will still click on any friend request they get, though we should all know better by now. Some will have forgotten that they’re already your friend, perhaps because they have so many friends they don’t know in ‘real life’. They may assume that something went wrong with the requester’s account, so that they have to reconnect. (Perhaps that’s what happened, but it’s not safe to assume that’s the case!)

We already know that people are more likely to fall for a scam if it seems to come from a friend – not just requests to befriend, but also scams like:

• Some form of advance fee fraud (including those ever-present 419 scams)
• Requests for financial help such as a loan due to a temporary issue, such as being robbed while on holiday
• Phishing attempts to gain login and/or other personal information, perhaps as part of an aggregated data attack. You might be surprised at how quickly the answers to a few innocent-sounding questions, maybe from a number of directions, can add up to a viable fraud or even full-blown identity theft.
• Clickjacking or clickbaiting, where clicking on a link sent by a ‘friend’ sends your computer somewhere unhealthy.

Are Facebook Pages And Groups OK?

It’s by no means unknown for Facebook pages and even groups to be cloned. A commercial page might be cloned for many reasons, such as diverting payments or clicks, or to spread misinformation, in the same way that fake versions of conventional web sites are often used. Of course, it’s also possible to put up a page that impersonates a company or organization that doesn’t actually copy a real page. Sometimes, a fake page will seem to belong to an organization that has no real social media presence at all, and may not even exist.

The same applies to groups, but I’ve also seen instances where disagreement between group members and/or administrators has led to the setting up of similar groups in competition. In such a case, the new group might be deliberately made to look like the old one. It’s not always easy to spot cloned groups or pages: if you have one that might be attacked in this way, it may be worth regularly conducting a search under the name of your own page or group to see if other instances of the same name or something similar comes up. In fact, even individuals might consider doing the same thing, though, given the number of Facebook subscribers, it’s inevitable that there will be duplications.

This page explains the differences from Facebook’s point of view between profiles, pages and groups.

How Do I Know If I’ve Been Cloned?

Well, the chances are that someone will tell you. However, it may not be a good idea to take their word for it. They could simply be wrong, of course. Or they may have been duped by some variant of a rather silly semi-hoax that was doing the rounds a while ago, and for all I know still is, though I’d like to think that the article I wrote for ESET at the time may have helped to reduce its circulation. (Some of that information is slightly out of date, but I don’t work there anymore, so can’t amend it.) I call it a semi-hoax because it may have been well-meant, at least on the part of the people who continued to forward the message when they received it, but it created more problems (and confusion) than it solved because it was forwarded inappropriately.

You can try putting your own name into the Search box above your news feed and see if an account is shown that looks like yours, or possibly yours, but which you know isn’t. You can also put up a post asking your friends whether they’ve had a duplicate request to be friends. If someone else has your friends list, it’s very likely you’ll get several responses. There are ways to get a clone account removed, as long as you’re sure that you’re not causing trouble for someone with a legitimate account who simply happens to share your name.

What Do I Do If My Account Is Cloned?

Commercial sites have a nasty habit of moving advice/help pages around or disposing of them altogether, but here’s one with advice on “How do I report a Facebook profile or Page that’s pretending to be me or someone else?” It has to be said that you may not always be able to see the fake profile or page yourself, in which case you can ask a friend to report it, though in my experience Facebook is quick to accept and close the report but slow to actually take action, which it does by contacting the person whose account has been cloned. I’ve never had occasion to report an account cloning my own account: perhaps if it’s the victim who makes the report, they act more quickly. At any rate, I’d like to think so.

Here’s another page that covers a range of similar issues. There’s a guided procedure for reporting a hacked profile, advice on reporting a number of impersonation issues, including a cloned account (though it uses the term ‘impersonated’ rather than cloned), and advice on reporting a fake profile, which is a profile for a person or entity or organization that doesn’t exist.

An obvious thing to do immediately is to put up a post telling your friends that your account has been cloned or compromised, and that they shouldn’t accept new friend requests that seem to come from you. If you’ve checked the fake account and discovered that some of your friends have already accepted an invite, you might want to message them to suggest they unfriend/block the interloper account – I think you can message several people at once using the ‘New Message’ icon (it looks like a pencil on top of a piece of paper) at the bottom of your home page.

What If I Get A 2^nd Request From A Friend?

Check before you accept it, of course. Sometimes you can see from their page that their content is all wrong: it couldn’t be your friend. Even if it looks OK, ask your friend if it’s really from them – contact them by another route, for example via their old account, by a known email or SMS address, not via the new account – duh!)

How Can I Prevent Cloning?

You can’t, I’m afraid. It’s easy for an attacker to set up an account using your name: they don’t even seem to need your profile picture. However, there are a number of privacy settings you can set to reduce the risk of misuse of your information.. Setting your Friends List so that only you can read it vastly reduces the risk that your friends will be contacted by a cloned account.

I always recommend hiding your friends list:  and you can check all your privacy settings here.

The more information you make public, the easier it is for a cloner to misuse your images and data. You can reduce the risk by making your account less valuable to a scammer, by tightening your privacy settings. It’s mostly your Friends list they’re interested in: once people accept ‘your’ invitation, they can be sent messages apparently from you such as requests for financial help, malicious invitations to view videos and so on.

Many Facebook users get invitations to connect with people they’ve never met, and Facebook actively promotes the desirability of having lots and lots of ‘Friends’. It would be hypocritical to suggest that you shouldn’t connect with friends of friends, or people with shared interests encountered in groups or pages. Just be cautious, or else sooner or later you’re going to connect with some sort of scammer.

David Harley

*** This is a Security Bloggers Network syndicated blog from Check Chain Mail and Hoaxes authored by David Harley. Read the original post at: https://chainmailcheck.wordpress.com/2022/07/06/clone-wars-revisited-facebook-friend-requests/