Perimeter
3/8/2010
09:42 AM
Connect Directly
RSS
E-Mail
50%
50%

Facebook As A Spear-Phishing Tool

My company Secure Network has been performing a variety of penetration tests that leverage information derived from sites such as MySpace and Facebook.

My company Secure Network has been performing a variety of penetration tests that leverage information derived from sites such as MySpace and Facebook.Some of our assignments have been to gather intelligence from these sites, which allowed us to steal the identities of employees, gain physical access to the workplace, and even get connected to internal networks. Numerous clients have asked us to see whether social networking sites used by their employees can lead to successful phishing attacks against their company and personnel. The results from the tests have been incredibly successful -- yet, at the same time, frightening.

It works like this: To prepare for a phishing attack, we start by focusing on the company Facebook group sites that were established by the employees of our client. Using a bogus identity, we join the company Facebook site and start mining the names and email addresses of individuals who identify themselves as employees. In the event they don't provide a company email address, we use the Internet to learn and use the email naming convention of our client, and then build our list based on that.

As we collect a database of names for our phish, our next step is to prepare the components needed to retrieve the bounty of our scam. We secure a domain name similar to that of our client, but include something of common importance to all employees. This domain name usually takes on the appearance of a human resources or benefits portal. When we email the employees as "human resources," they are redirected to a Web page ,such as https://www.xyzcompany-benefits.com. Since the tests we perform collect real user names and passwords, we also secure a certificate so no data is obtained in clear text.

The appearance of the page takes on the look and feel of the company Website with similar banners, logos, and navigation structure. Our clients frequently ask we "dumb down" the page to provide a sporting chance for their employees to realize the page is a forgery. In most cases, we fill the page with misspelled words, irregular shaped logos, and a fine-print disclaimer that says the page is completely fictitious and has nothing to do with the human resources department.

The phishing email itself has the appearance of coming from the human resources department of the company. The content of the letter usually has a message that indicates a new benefits portal is being launched, and that the employee should follow the enclosed link. When directed to our bogus page, our phishing target is requested to enter their user names and passwords as they do each day when they log onto the company network. When they enter in the requested user name and password, we direct them to an "Under Construction" or "Come Back Soon" page.

The appearance of the email is typically formatted in HTML and follows the appearance of the page they are being directed to. As with the phony Web page, we give the employees a chance to spot that the message is a fake by sending the email from a Hotmail account, writing the message with poor grammar and numerous misspellings.

The day of delivering the payload is very important: We prefer Sunday night. Having mail stack up from Friday evening and during the weekend allows our message to be interwoven into a mix of email messages.

The results of our Facebook phishing tests have provided some amazing results. Although the size of the company makes a difference, on average we have been able to accumulate 300 to 500 phishing targets from Facebook and other social networking sites. When we launch our Facebook spear-phishing attack, we usually get an average response rate of 45 to 50 percent. So nearly half of the employees respond to our email with the logins and passwords they use on their employers' network.

When launching these directed phishing tests, we also found that in most cases, the tests have to be stopped by the middle or end of the first day after our email was sent. The reason is the phish usually becomes forwarded on by our targets to other company employees and entire departments: This exponentially increases our audience and creates mayhem in the company when somebody in HR finally realizes a phish is running rampant in the organization.

Another interesting finding is that targeted users will often provide more than one login and password when a displayed page indicates "Under Construction." Frequently, a respondent will enter a relatively hard password, but with a numerical sequence like Summer1, Summer2, and so on.

When we present the findings to our clients, it becomes clear that wealth of information collected from an unofficial company Website on Facebook could lead to a significant breach in their company network.

So what should you do to minimize the risk of company information being leaked or gathered via social networks? Here are a few tips:

-- Officially sponsor the social networking site and assign an administrator who is responsible for permitting employees to join. This will help control somebody infiltrating the site for devious purposes.

-- Establish a social networking policy. If your employees are participating in social networking sites (company sponsored or not) makes sure company policies dictate what is and is not permissible. For example, divulging your corporate email account on social networking sites should not be permitted.

-- Last but not least, if employees feel the need to gather and converse about their day-to-day work, personal lives, and hobbies, consider a corporate intranet. Maybe someday social networking vendors will launch a product that will provide the same features and benefits, but with the security tools needed to keeps employees and company secrets safe. But in the meantime, it's up to you. Steve Stasiukonis is vice president and founder of Secure Network Technologies Inc.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.