Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response

Attack of the Facebook Snatchers

Created: 13 Apr 2007 07:00:00 GMT • Updated: 23 Jan 2014 18:50:18 GMT
Symantec Security Response's picture
-1 1 Vote
Login to vote

Facebook is quickly becoming one of themost popular social networking sites for the 20-something crowd. It wasinitially focused on college students, but has since opened up to thewider public. Recent statistics place Facebook among the most popularsocial networking sites on the Internet.

Privacy has become a bigger issue in recent times for socialnetworking sites. People are becoming aware of the danger of placingpersonally identifiable information in plain view on the Internet. Theapproach Facebook has taken towards privacy issues is a granular one.People with profiles on Facebook can join “networks” based on theirschool or workplace. All that is necessary to join a network is anemail account from that organization. Privacy settings can becustomized in many configurations, including maximum visibility, whereanyone can find your limited profile in a search; limited privacy,where only those in one of your networks can see your full profile; anda restrictive setting, where only friends can see your full profile.There are also several granular privacy settings where a user canspecify who can see what information.

This illusion of privacy leads people to be a little freer in theirdisclosure. Users will list their complete name, address and phonenumber in plain text, available to friends and members of the samenetwork. Email addresses are shown as images, providing protectionagainst Web-based crawlers, but not against more sophisticated attacks.These users provide more detailed information on this site compared toothers because of the perceived protection provided by the site'sprivacy measures. This “private” information found in many accounts isa treasure trove of contextual information for the determined phisheror identity thief, if they can get to it. One way for someone to obtainaccess to this information is to gain control of an account in the samenetwork or a friend’s account. This is often done with a standardphishing attack.

Traditionally, retail and financial services have been the mostcommonly phished sectors because they are the most likely to lead toimmediate financial gain. These industries have subsequently adaptedtheir Web interfaces and updated their security measures in order toprotect against this sort of fraud. Since social networking sites havenot been the target of high volumes of such attacks (less than onepercent of all phishing attempts in the second half of 2006), they havenot incorporated the same security measures as banks and onlineretailers. This makes it easy for experienced phishers to createphishing emails and sites to gain credentials for sites like Facebook.

For example, most users of Facebook are familiar with the "…hasadded you as a friend on Facebook…" stock email that reads as follows(where "Joe" would be the name of your friend):

Joe has added you as a friend on Facebook. We need you to confirm that you are, in fact, friends with Joe.

To confirm this friend request, follow the link below:
http://network.facebook.com/reqs.php

Thanks,
The Facebook Team

___
Want to control which emails you receive from Facebook? Go to:
http://www.facebook.com/editaccount.php?notifications

If you are not logged in to the site, this link leads to the following page:

Some users are conditioned to follow this process whenever theyreceive an email of this sort. Some people can receive this emailseveral times every day and perform this login procedure so often itbecomes automatic. This simple, clean design is very easy for a phisherto mimic. Since users are conditioned to follow this process blindly,they might not notice that the email is spoofed or that the address baris slightly incorrect. This makes Facebook users ideal targets for thetype of generic phishing attacks that are usually directed at financialinstitutions.

Once a phisher has access to many accounts on different networks,all the information that is given out under the assumption of privacyor semi-privacy can be harvested. It is true that this information(email addresses, physical address, phone number, interests, and listsof friends) can be sold to spammers or direct marketers, but it can bealso be valuable as the first step in a so-called context-awarephishing attack. I will be discussing context-aware phishing attacks inmy next blog, so stay tuned!

Updated: April 18, 2007