ARS had reported an interesting article about social networks being hacked. The Brazilian security researcher recently demonstrated how he could “friend” even allegedly more wary Facebook users in less than 24 hours. At the Silver Bullet security conference in São Paulo, UOLDiveo chief security officer Nelson Novaes Neto showed how he leveraged LinkedIn, Amazon, and Facebook to convince a target—a Web security expert he called “SecGirl” using social engineering.
Novaes created a fraudulent Facebook account, “cloning” the identity of the manager of the target. He then sent friend requests to friends of friends of the manager from the cloned account—sending out 432 requests. In just one hour, 24 of those requests were accepted, even though 96 percent of them already had the legitimate account of the manager in their contact list. He moved on to 436 direct friends of the manager, using his connections from LinkedIn—getting acceptances from 14 of them in an hour. Seven hours into the experiment, his cloned account’s friend request was granted by SecGirl.
With the information obtained by friending someone, it’s possible to then take over a legitimate Facebook account using Facebook’s “Three Trusted Friends” password recovery feature. Through the password recovery tool, a hacker can change both the password and the contact e-mail address for an account. The hacker could then use that hacked account for social engineering attacks on other accounts.
Neto said, “People have simply ignored the threat posed by adding a profile without checking if this profile is true. Social networks can be fantastic, but people make mistakes. Privacy is a matter of social responsibility.”
Now we know one more feature of Facebook that we should NOT use!