By Tal Be'ery, Lead Web Researcher at Imperva and Rob Rachwald, Director of Security Strategy at Imperva.
Imperva has talked extensively about the automation and industrialization of hacking has changed the face of cyber crime. With the advent of social networking, hackers turned to sites like Facebook to create another attack channel. However, these attacks were typically manual, such as uploading malware or creating fake pictures of a dead Osama Bin Laden.
Social engineering may now be entering the next phase: automation. Recently, a new tool emerged which automates social engineering on Facebook. Unlike hacking software, this tool doesn’t demonstrate any new theoretical security vulnerability. However, the automation of the social engineering process may have significant practical security implications as it can be launched by every script kiddie. The attack package is hosted on code.google.com: http://code.google.com/p/fbpwn/
What does the software do? It sends friend requests to a list of Facebook profiles, and polls for the acceptance notification. Once the victim accepts the invitation, it dumps all their information, photos and friend list to a local folder. In other words, it automates the process of friending, sees who accepted and then collects all personal information in your profile as well as photos.
How does it work? The guide explains (with spelling and grammar errors preserved):
A typical scenario is to gather the information from a user profile. The plugins are just a series of normal operations on FB, automated to increase the chance of you getting the info.
Typically, first you create a new blank account for the purpose of the test. Then, the friending plugin works first, by adding all the friends of the victim (to have some common friends). Then the clonning plugin asks you to choose one of the victims friends. The cloning plugin clones only the display picture and the display name of the chosen friend of victim and set it to the authenticated account. Afterwards, a friend request is sent to the victim's account. The dumper polls waiting for the friend to accept. As soon as the victim accepts the friend request, the dumper starts to save all accessable HTML pages (info, images, tags, ...etc) for offline examining.
After a a few minutes, probably the victim will unfriend the fake account after he/she figures out it's a fake, but probably it's too late!"
The cloning plug-in is a critical part how this works: It means that the victim may get a friend request from a real friend name and picture – so one would accept it with no hesitation. Cloning is virtual identity theft – if two profiles are exactly the same, which one is real?
Who developed it? Employees of a security company from Egypt. They (uselessly) caution, “This project is a PoC. Use it on your own risk and please do not abuse!”
Why did they develop it and then release it publicly? Here’s what they stated on their website (with grammar and spelling errors preserved):
On behalf of Ahmed Saafan (project owner and administrator)
I have taken a significant amount of time thinking about releasing the program or not for the same reasons that everybody is discussing, abuse. However, I came to the conclusion that we should release it in the old “Full disclosure” way. My main goals for the release are:
User awareness for what is happening already in the wild but in a covert way: I already have seen many cases of innocent people being socially engineered and blackmailed because they do not know the implications of their actions online. This tool should make the people aware of the implications of their actions online. Accepting friend requests for even the smallest period of time without manually verifying that the friend is actually who he claims to be, is an example of wrong actions that we wanted to demonstrate. I have tried telling as many social media entities as possible about our PoC so that people get to know the risks as fast as possible and start being more careful about what they do online. Also, with the code being online, we tried to send a message of good intention; that we are not hiding anything within the binary code and that we don’t want any compensation.
Facebook attention to their flawed user verification process: From Facebook’s perspective, I think Facebook should have a more strict policy for verifying that people are who they claim to be, and filter out fake or impersonating accounts. I know that this contradicts with usability in a great way, but Facebook should figure out a way to do it. The tool demonstrates the risks that are already out there for user impersonation. I believe without fake accounts on Facebook, people wouldn’t risk their own account to be used in cons, or at least it the numbers will be reduced significantly.
Also, we have seen a very successful example of full disclosure, i.e. Firesheep. I think Firesheep has achieved in a very short time a significant amount of user awareness and got the people’s attention to the importance of SSL without being abused (to a great extent). However, now, non-technical users think as long as they have SSL enabled they are safe. So the tool is just another step into having –hopefully- a more secure cyber social network.
In fairness, it was a matter of time before someone else developed a similar tool—but security professionals shouldn’t be facilitators. Not surprisingly, to date there have been around 5,000 downloads since it was made public a week ago:
And here’s the GUI:
What can an attacker gain from such attack? The attacker gains access to all data the victim exposes to the world, i.e., it steals a virtual identity.
- The data itself may be valuable and have value on the black market. For example, there is an active market for suggestive photos of scantily clad females.
- The attacker now can impersonate the victim. For example:
- Give job recommendations over Linkedin.
- Provide a bridgehead for further social engineering.
- Ask your IT admin (over FB –since you are friends now!) “I can't login to something, can you reset may password?”
- Defraud or relatives with money scams: "I'm stuck in Vegas with no money."
We hope:
- Facebook’s security team takes some action to make their platform immune to this attack by, for example, applying anti-automation measures.
- Facebook will help make consumers aware as this problem as it will likely proliferate.
- Consumers of social networks should:
- Never approve friend request from people you don't know.
- Be cautious when accepting friend requests:
- Verify he/she is not already in your friends list, since if they were, your friend profile was probably cloned.
- Look at the friendship applicant profile before accepting the request. Find out if he\she already is a friend with a mutual friend and be alert if they are not.
- Look for "old" data – cloned profile cannot clone the history. So dated posts to the wall, pictures, etc may serve as evidence of fraud.
- You may want to use another medium to verify that the request is genuine: email, phone, etc.
Social engineering’s appeal is growing rapidly within the hacking community—which shouldn’t surprise anyone. While software vulnerabilities can be fixed or patched, human vulnerability is here.