Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/10/2009
01:24 PM
50%
50%

Using Facebook To Social-Engineer A Business

My firm was recently asked to compromise a company's network infrastructure using intelligence available from the Internet. The client's CIO was worried that social networking sites provided too much information about its employees and the company, so we discussed the possibility of using information gained from social networking sites to social-engineer our way into the customer's facility and, ultimately, into its network.

My firm was recently asked to compromise a company's network infrastructure using intelligence available from the Internet. The client's CIO was worried that social networking sites provided too much information about its employees and the company, so we discussed the possibility of using information gained from social networking sites to social-engineer our way into the customer's facility and, ultimately, into its network.We started the project by scouring all of the social networking sites for employees of our target company. Not surprisingly, we found numerous people who openly discussed what they did for a living. We also found numerous employees who openly discussed disappointment in their employer.

We perused popular social networking site like MySpace, LinkedIn, and Plaxo, and ended up focusing on Facebook.com. The majority of our customer's employees were using Facebook, so we created a Facebook group site identified as "Employees of" the company. Using a fictitious identity, we then proceeded to "friend," or invite, employees to our "company" Facebook site. Membership grew exponentially each day.

Because our assignment required us to compromise a secured facility, we chose to use the identity of one of our Facebook-friended employees to gain access to the building.

The company was large enough for us to choose an individual located far enough from our designated location that the odds of someone knowing him would be minimal. Our chosen individual's profile page provided numerous pieces of information that proved helpful in stealing his identity. Posting his job title, phone number, and email address made it easy for us to craft a bogus business card with his information. The posted pictures helped us determine if our guy would be a reasonable match in terms of appearance, height, and weight. Additional profile data helped us learn other specifics, such as marital status, number of children, and schools attended.

On the day we intended to breach the facility, our guy was dressed with a shirt embroidered with our client's logo, and armed him with business cards, a fake company badge, and his laptop. Upon entering the building, he was immediately greeted by reception. Our man quickly displayed his fake credentials and immediately began ranting about the perils of his journey and how important it was for him to get a place to check his email and use a restroom. Within in seconds, he was provided a place to sit, connection to the Internet, and a 24x7 card access key to the building.

After reaching the goal of accessing the network, he departed at the end of the business day. Later that evening, he returned to the empty office building to conduct a late-night hacking session. As usual, numerous credentials and passwords were obtained from insider sources. Within a short period of time, he had accessed the company's sensitive secrets.

Our successful entry into the client's building, network, and data demonstrates how social networking sites such as Facebook can be abused as a new physical attack vector for the bad guys. When employees are willing to expose personal details of their lives, this can put their employer -- as well as their data -- at risk.

Steve Stasiukonis is vice president and founder of Secure Network Technologies Inc. Steve serves as president of Secure Network, focusing on penetration testing, information security risk assessments, incident response and digital investigations. Steve has worked in the field of information security since 1997. As a part of that experience, Steve is an ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.