09:42 AM
Connect Directly

Facebook As A Spear-Phishing Tool

My company Secure Network has been performing a variety of penetration tests that leverage information derived from sites such as MySpace and Facebook.

My company Secure Network has been performing a variety of penetration tests that leverage information derived from sites such as MySpace and Facebook.Some of our assignments have been to gather intelligence from these sites, which allowed us to steal the identities of employees, gain physical access to the workplace, and even get connected to internal networks. Numerous clients have asked us to see whether social networking sites used by their employees can lead to successful phishing attacks against their company and personnel. The results from the tests have been incredibly successful -- yet, at the same time, frightening.

It works like this: To prepare for a phishing attack, we start by focusing on the company Facebook group sites that were established by the employees of our client. Using a bogus identity, we join the company Facebook site and start mining the names and email addresses of individuals who identify themselves as employees. In the event they don't provide a company email address, we use the Internet to learn and use the email naming convention of our client, and then build our list based on that.

As we collect a database of names for our phish, our next step is to prepare the components needed to retrieve the bounty of our scam. We secure a domain name similar to that of our client, but include something of common importance to all employees. This domain name usually takes on the appearance of a human resources or benefits portal. When we email the employees as "human resources," they are redirected to a Web page ,such as Since the tests we perform collect real user names and passwords, we also secure a certificate so no data is obtained in clear text.

The appearance of the page takes on the look and feel of the company Website with similar banners, logos, and navigation structure. Our clients frequently ask we "dumb down" the page to provide a sporting chance for their employees to realize the page is a forgery. In most cases, we fill the page with misspelled words, irregular shaped logos, and a fine-print disclaimer that says the page is completely fictitious and has nothing to do with the human resources department.

The phishing email itself has the appearance of coming from the human resources department of the company. The content of the letter usually has a message that indicates a new benefits portal is being launched, and that the employee should follow the enclosed link. When directed to our bogus page, our phishing target is requested to enter their user names and passwords as they do each day when they log onto the company network. When they enter in the requested user name and password, we direct them to an "Under Construction" or "Come Back Soon" page.

The appearance of the email is typically formatted in HTML and follows the appearance of the page they are being directed to. As with the phony Web page, we give the employees a chance to spot that the message is a fake by sending the email from a Hotmail account, writing the message with poor grammar and numerous misspellings.

The day of delivering the payload is very important: We prefer Sunday night. Having mail stack up from Friday evening and during the weekend allows our message to be interwoven into a mix of email messages.

The results of our Facebook phishing tests have provided some amazing results. Although the size of the company makes a difference, on average we have been able to accumulate 300 to 500 phishing targets from Facebook and other social networking sites. When we launch our Facebook spear-phishing attack, we usually get an average response rate of 45 to 50 percent. So nearly half of the employees respond to our email with the logins and passwords they use on their employers' network.

When launching these directed phishing tests, we also found that in most cases, the tests have to be stopped by the middle or end of the first day after our email was sent. The reason is the phish usually becomes forwarded on by our targets to other company employees and entire departments: This exponentially increases our audience and creates mayhem in the company when somebody in HR finally realizes a phish is running rampant in the organization.

Another interesting finding is that targeted users will often provide more than one login and password when a displayed page indicates "Under Construction." Frequently, a respondent will enter a relatively hard password, but with a numerical sequence like Summer1, Summer2, and so on.

When we present the findings to our clients, it becomes clear that wealth of information collected from an unofficial company Website on Facebook could lead to a significant breach in their company network.

So what should you do to minimize the risk of company information being leaked or gathered via social networks? Here are a few tips:

-- Officially sponsor the social networking site and assign an administrator who is responsible for permitting employees to join. This will help control somebody infiltrating the site for devious purposes.

-- Establish a social networking policy. If your employees are participating in social networking sites (company sponsored or not) makes sure company policies dictate what is and is not permissible. For example, divulging your corporate email account on social networking sites should not be permitted.

-- Last but not least, if employees feel the need to gather and converse about their day-to-day work, personal lives, and hobbies, consider a corporate intranet. Maybe someday social networking vendors will launch a product that will provide the same features and benefits, but with the security tools needed to keeps employees and company secrets safe. But in the meantime, it's up to you. Steve Stasiukonis is vice president and founder of Secure Network Technologies Inc.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: 2014-10-01
Cross-site request forgery (CSRF) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.