Thursday, April 16, 2020

Social Engineering Facebook

Social Engineering

NOTE: Since being published, this article has been updated with new information. 

If you’re on social media, specifically Facebook, you’ve seen the 21stcentury version of chain letters. Here of late there’s been lots of  “challenges”, quizzes, and tagging of friends to encourage them to keep the challenge going. List every country you’ve been to, list every state you’ve been to, favorite movies, pictures of pets, pictures of your spouse and/or your parents, and the most current- your high school senior photo, under #Classof2020.

Who knows who starts these but they catch on as cute or fun ways to pass the time on Facebook. They are also ways for social engineers to find out more than you want strangers to know. Using the short list above, how many total strangers would you exchange that information? Probably not many. But most people don’t have very secure social media accounts. They are completely open to public view. Simple searches, most likely by the ones who started these challenges, can find the responses to hash tags and/or using bots mine the information. Then using social engineering the hacker can construct quite a profile on you.

As if your basic profile information isn’t enough, add that to answers from the above examples. Now in addition to your name, age and/or exact date of birth, high school, university, town, they can add photos and names of parents, spouses, pets, etc. For example. Viewing someone's Facebook page who completed some of the more popular quizzes, one could determine the following.
Jane Doe
Born January 1, 1973
Lives in Anywhere, Iowa
Went to Anywhere High School and Iowa State University, graduating in 1994
Not married
Christian 
Her parents are John and Jeanine (Pictures)
Loves dogs, especially her German Shepherd Rover (Picture)
Has visited 15 U.S. states and Paris, Rome, and London (Pictures)
Loves movies, specifically classic romances
Lots of pictures of Jane and Check-ins at her favorite places (with dates and times)
All of this information is more than enough to construct passwords, answers to security questions, or even more nefarious real word activities.

Users feel comfortable within the confines of Facebook. Like with other cons these are perpetuated because of the element of trust. Trust that it came from a friend, so it must be OK. Or it’s only a harmless quiz about my favorite TV shows. Also, trust in the complacency that only your friends can see the responses. Once your friends start sharing then your information is exposed.

In addition to the cut and paste challenges there are external links to quizzes. The links take you to a third party site that runs the quiz and posts back to Facebook. Most have learned not to click on links in emails. Why would you click on a link within a Facebook post? Back to trust. A friend shared the post it must be safe.

Use social media wisely. Check your privacy settings. If you haven’t done so in awhile, change your password. Think twice before participating in cut and paste challenges and quizzes. You don’t want to be the one making the familiar post-Don’t accept any friend requests from me. I’ve been hacked!!

April 27, 2020 The FBI issued a warning not to participate in social media quizzes. The quizzes are based on "something you know; something you have; and something you are" all of which can be used to social engineer passwords.
FBI bulletin-https://www.fbi.gov/contact-us/field-offices/pittsburgh/news/press-releases/fbi-pittsburgh-warns-popular-social-media-trends-can-lead-to-fraud

Read other posts about privacy

No comments:

Post a Comment