Social Engineering - Your Facebook Is More Valuable Than Your Bank Account
Want to know something interesting? Hackers prefer your Facebook info to your bank account. While bank accounts can be drained, banks are vigilant against such theft and react swiftly. Banks are also capable of reversing, tracking, and investigating intrusions, making them a tough target for the average hacker.
But what about your Facebook account? It's 2014. You've already scrubbed your Facebook of personal and embarassing information, right? What could a hacker really accomplish by logging in and pretending to be you?
Users can build up massive amounts of personal information over time, and Facebook encourages this behavior in order to appropriately target ads. Information of this nature is fairly valuable on its own, but hackers and social engineers usually have a far more nefarious goal in mind when stealing accounts – the spread of a scam, exploit, virus, worm, etc., that depends heavily on users trusting their friends.
A single Facebook account is fairly worthless for the average hacker. Unless they are intensely interested in the person behind the account, they don't have access to much other than perhaps embarrassing messages. Luckily, Facebook users tend to trust each other a bit too much – most people don't think twice before clicking a link sent by their mother or best friend. Hackers know this, and have become particularly fond of a practice known as “clickjacking,” in which the user is usually given a link to a site that attempts to disguise the “Like” button behind invisible frames (Gallagher, S., 2011).
Once the “Like” button is triggered, the site can instantly use Facebook's architecture to spam their link using the account – without the account ever being truly hijacked. The user is still in control of their account, and their privacy remains essentially untouched. Thanks to Facebook's marketing efforts, clickjacking is pervasive and difficult to stop. Applications for Facebook have sprung up that essentially act as anti-malware for Facebook users, forbidding an account from mistakenly accessing certain malicious links. Interestingly, Facebook's marketing-friendly structure is what allows these attacks to easily occur – clickjackers are simply using the same mechanisms that many legitimate applications use to publish stories through user accounts.
For example, the Facebook game Farmville is capable (if the user allows it) of posting messages on friends' walls asking them for help. While Facebook could put an end to many clickjacking methods by simply disallowing messaging permissions for third-party applications, they are unlikely to do so. Disabling the messaging feature (as well as the prevalent “Like” button that controls it on third-party websites) would take away from Facebook's allure to advertisers – namely, the ability to maximize consumer impressions via simple user interaction. Facebook is quick to act on established threats, but it's easy to fault them for leaving the core vulnerability intact as a function of their money-making arm (“Facebook sues,” 2012). User education can only do so much – there's no possible way for users to memorize “bad” URLs (especially since they can change endlessly), and it's fairly ridiculous to ask users to never click on links sent to them by close family members. Facebook deserves to be placed under far more scrutiny for their role in clearly enabling attacks via their invasive marketing technology.
While clickjacking relies on social pressure and trust in order to spread, social engineering relies solely on fraud, deception, and cunning in order to penetrate a user's account. The most common form of social engineering on Facebook takes the form of a simple friend request from a stranger – the strange account will usually be in similar networks or groups, and the engineer may even add some of your other friends in order to gain credibility in your eyes.
Once you've accepted their friend request, they are free to snoop through whatever personal information you have given Facebook, look at your friends, observe your habits, and most importantly, message you. The social engineer will likely introduce themselves innocently at first, with a vague background story - “Hey [user], we met a while ago at a party, what's up?” (Johnson, S. 2011). Depending on their interests, they'll either take advantage of whatever you information you have available - this is “personal” social engineering (think jealous ex-girlfriends, insurance companies checking on a claimant, etc.) - or they'll leverage their newly found trust to entice you into clicking a link. The link may lead to simple clickjacking or more damaging methods of account penetration (such as viruses, keyloggers, etc.).
If the engineer manages to control your account using malware, he can then easily use it to fool your friends. There are a massive variations of Facebook scams, but some common ones seem to revolve around being trapped in a foreign country with no money. I have seen this scam twice personally - people I hardly talked to messaged me in broken English to beg for money via Paypal so they could afford a flight home. The odds of this working are obviously quite slim, but the engineer merely needs a few people to fall for their scam in order to be profitable. This sort of scam relies heavily on user ignorance and the manipulation of genuine trust in order to succeed – educated, suspicious users will not fall for these sorts of scams. Much like how I lost my AOL account when I was young and inexperienced, scammers simply target as many potential victims as they can in hopes of catching someone off guard.
Unfortunately, social engineering scams can't be fixed with a quick patch or a few lines of code. The solution invariably must involve user education – Facebook can't be held accountable for fake accounts that look believable. Luckily, most users in the current age are far more aware of online danger than I was all the way back in the days of AOL and dialing in. While Facebook can (and should) do more to prevent clickjacking and message spamming, it can't manually stop someone from revealing their password or personal information. A properly educated, wary, and informed user is the most effective deterrent against social engineering.
Clickjacking. (2012, February 28). Retrieved from http://www.facebook.com/pages/Clickjacking/103826422989485
Kollmer, D. (2012, january 17). The koobface malware gang - exposed!. Retrieved from http://nakedsecurity.sophos.com/koobface/
Facebook sues alleged clickjacking spammer sparking row. (2012, January 27). BBC. Retrieved from http://www.bbc.co.uk/news/technology-16755434
Gallagher, S. (2011, November 15). Clickjack attacks plaguing facebook with 4chan-like porn, violent imagery. Retrieved from http://arstechnica.com/tech-policy/news/2011/11/clickjack-attacks- plaguing-facebook-with-4chan-like-porn-violence-imagery.ars
Johnson, S. (2011, April 05). Social engineering on facebook – you’re probably already a victim. Retrieved from http://computertutorflorida.com/2010/04/social-engineering-on-facebook/
Long, J., & Mitnick, K. D. (2009). No tech hacking, a guide to social engineering, dumpster diving, and shoulder surfing. Syngress Media Inc.
Mann, I. M. (2008). Hacking the human. Gower Publishing
Mitnick, K. D., & Simon, W. L. (2002). The art of deception, controlling the human element of security. John Wiley & Sons Inc.