Scamming Social Networks

Social networks have become a very popular usage of so-called "Web 2.0" technology. Web sites, such as Facebook and LinkedIn, have begun to move towards targeting working professionals, in addition to the traditional younger college and/or high school crowd. Myself, and others, have been doing extensive research into the security (and insecurity) present in social networking web sites. You may now be wondering, "Just how have you been doing your research?". Well, we decided to register ourselves on several social networking web sites to see just how they work, and just how ourselves and others could break them and abuse the security present in these web sites. What we've found has been very interesting, and useful for providing the community with information about the risks, and tips to protect themselves:

The “Evil Twin” attack was an experiment we performed, and turned out to be wildly successful. We registered a Facebook account as someone else, using an email address we controlled, pictures we downloaded from the Internet, and information we gathered from various publicly available sources. Our attack was very successful, several people believed that the person we faked was real and started to add them as a friend. The best defense here is to register yourself on social networking web sites to prevent others from doing so. We did a segment about this which you can read about and listen to here.

If you use social networking sites regularly you might say, “only people in my network can see my information or my pictures”. This may be true, however XSS vulnerabilities have exposed that information. For example, millions of pictures marked “private” on the popular social network site MySpace, and subsequently Facebook, were suddenly public due to a vulnerability. Once something is “public” on the Internet, there is no going back, its archived in cyberspace forever. Even without vulnerabilities there are groups on sites such as Facebook, and to a certain extent LinkedIn, that automatically allow others in your group to see your profile. For example, I was placed in the group “Providence, RI”, a group anyone can join, and now thousands of people can see my profile. You should always treat information on the Internet as public, whether marked "private" or not.

Recently there has been an unknown exploit of Facebook that is hijacking people’s Facebook accounts and putting up grotesque images, a social network “Rick Roll” attack with a bizarre twist. Reportedly there was a vulnerability in Facebook that allowed this to happen. However, recently I got the following email:

Looking at the link highlighted in red closely you see that it does not go to Facebook at all, but to some other site, which looks exactly like the Facebook login page, but really is an attacker collecting your username and password. Why would someone launch a phishing attack against Facebook? I'm still not certain why this information is so valuable that it is being targeted by attackers? If nothing else it proves that social networking sites are not only more popular, but represent an area that potentially could be profitable for attackers – as soon as I figure out how, I will let you know :).

Social networks are all about sharing information, however they’re a great way to distribute attacks. Attackers are not looking to use social networks to distribute links to a trusted audience, not just for fun, but profit! Use extreme caution when using social networks and try to think how attackers could use this information and technology against you.

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.