Using Facebook To Social-Engineer A Business

My firm was recently asked to compromise a company's network infrastructure using intelligence available from the Internet. The client's CIO was worried that social networking sites provided too much information about its employees and the company, so we discussed the possibility of using information gained from social networking sites to social-engineer our way into the customer's facility and, ultimately, into its network.We started the project by scouring all of the social networking sites for employees of our target company. Not surprisingly, we found numerous people who openly discussed what they did for a living. We also found numerous employees who openly discussed disappointment in their employer.

We perused popular social networking site like MySpace, LinkedIn, and Plaxo, and ended up focusing on Facebook.com. The majority of our customer's employees were using Facebook, so we created a Facebook group site identified as "Employees of" the company. Using a fictitious identity, we then proceeded to "friend," or invite, employees to our "company" Facebook site. Membership grew exponentially each day.

Because our assignment required us to compromise a secured facility, we chose to use the identity of one of our Facebook-friended employees to gain access to the building.

The company was large enough for us to choose an individual located far enough from our designated location that the odds of someone knowing him would be minimal. Our chosen individual's profile page provided numerous pieces of information that proved helpful in stealing his identity. Posting his job title, phone number, and email address made it easy for us to craft a bogus business card with his information. The posted pictures helped us determine if our guy would be a reasonable match in terms of appearance, height, and weight. Additional profile data helped us learn other specifics, such as marital status, number of children, and schools attended.

On the day we intended to breach the facility, our guy was dressed with a shirt embroidered with our client's logo, and armed him with business cards, a fake company badge, and his laptop. Upon entering the building, he was immediately greeted by reception. Our man quickly displayed his fake credentials and immediately began ranting about the perils of his journey and how important it was for him to get a place to check his email and use a restroom. Within in seconds, he was provided a place to sit, connection to the Internet, and a 24x7 card access key to the building.

After reaching the goal of accessing the network, he departed at the end of the business day. Later that evening, he returned to the empty office building to conduct a late-night hacking session. As usual, numerous credentials and passwords were obtained from insider sources. Within a short period of time, he had accessed the company's sensitive secrets.

Our successful entry into the client's building, network, and data demonstrates how social networking sites such as Facebook can be abused as a new physical attack vector for the bad guys. When employees are willing to expose personal details of their lives, this can put their employer -- as well as their data -- at risk.

Steve Stasiukonis is vice president and founder of Secure Network Technologies Inc.