Skip the navigation

Facebook users fall for rubber duck's friend request

People still haven't learned that social sites are criminal gold mines, says security firm

December 7, 2009 03:51 PM ET

Computerworld - Facebook users haven't learned to keep their personal information private, a security researcher said today after his company conducted a test that sent randomly-selected people a friend request from bogus accounts.

One of the account profiles sported only an image of a yellow rubber duck, while the other was represented by a pair of cats.

The test conducted by Sophos was similar to one the firm did two years ago, said Graham Cluley, a senior technical consultant at the U.K.-based security vendor. In the 2007 test, 41% of the Facebook users who received the request from "Freddi Staur," represented on Facebook by a toy frog, divulged personal information, such as their e-mail address, date of birth and phone number to the stranger.

In 2009, up to 46% of the people pinged from a pair of made-up accounts -- one allegedly a 21-year-old single woman, the second a 56-year-old married woman -- responded to the friend request. A majority of those who responded gave away their full date of birth and their e-mail address.

"It looks a little bit worse now than before," said Cluley, referring to the numbers of Facebook users willing to part with personal information. "It was staggering, actually."

The two separate requests -- each aimed at 100 randomly-chosen contacts in the two fake users' age groups -- also illustrated the difference between younger and older users on Facebook. Although the 50-something crowd responding to the request from "Dinette Stonily" were less likely to give out a fully-fleshed date of birth, they were three times more apt to hand out their phone number.

Relatively few people in either group -- just 4% of the group replying to 21-year-old "Daisy Feletin," and 6% of the older users -- gave out their full street address, however.

The "Daisy Feletin" profile used an image of a toy duck as the account holder's photograph.

People just don't seem to get it, Cluley said, no matter how many times they're warned that identity thieves and other criminals troll social networking services like Facebook for useful information. "Sometimes it seems that we're in a classroom, and all the students are donkeys," Cluley bemoaned.

"Ten years ago, it would have taken a con artist weeks, maybe with the help of a private investigator, to come up with this kind of information. Or diving in garbage bins," said Cluley.

Now, however, people see services like Facebook as entertainment. "They think they have nothing to lose, giving out information, but you have a lot to lose," Cluley warned. "People have to remember that the Internet is, to some extent, public. Criminals essentially have a one-in-two chance of getting information without even trying."

Read more about Security in Computerworld's Security Topic Center.



Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!