A penetration test by Netragard at an energy company highlights how hackers can use Facebook, LinkedIn and other social networking sites as part of phishing schemes. In the test, Netragard used social engineering to get its hands on information that could have been used to compromise critical systems at the company. Addressing this security issue means having smart policies about what employees can and cannot do on the Web.
The most important part of an attack isn't always a vulnerability; sometimes
it's the user's trust.
This was certainly the case during an authorized
at an energy company conducted by security
vendor Netragard. Looking for a way inside the customer's
defenses, the vendor turned to Facebook. Testers built a profile claiming
to be of an employee of that company, bolstered it with information on
work experiences taken from actual employees of the energy company and began "friending."
What the Facebook "friends" didn't know was that this was all part
of a long con-a bit of social engineering used to lull the employees
into giving up their credentials more easily. The simulated attack underscores
both the importance of having sound policies on employee
use of sites like Facebook, LinkedIn and MySpace
and the challenges of
authenticating users on the Web.
"Before the advent of social networks, criminals were able to access
your employees through things like spam, or maybe they could call them up and
social-engineer them," said Adriel Desautels, CTO
of Netragard. "But sites like Facebook and MySpace and LinkedIn and all
these different sites [give] criminals the ability to bypass just about any
security technology you have in place and gain direct social access to your
Trust is the name of the game when it comes to phishing. For Netragard, that
meant doing a bit of reconnaissance. It turned out that a little more than
900 of the customer's employees were using Facebook. Since most were men
between the ages of 20 and 40, Netragard chose the picture of an attractive
28-year-old female for its profile and began building up a list of friends.
The next step was to make use of a cross-site scripting bug on the customer's
Web site to deliver a payload that would render a legitimate-looking HTTPS-secured
Web page that appeared to be part of the customer's Website. After conversing
with real employees on the site for three days, Netragard posted on the
Facebook profile a link to the rogue Web page with a message claiming the
customer's site may have been hacked.
Users who visited the page were asked to verify their employee credentials-which
were promptly sent to www.netragard.com
extracted via an automated tool the company created. The bounty included
credentials that would have allowed Netragard to access the majority of systems
on the network, including the Active Directory server, the mainframe and
the pump control systems.
"If your employees are using Facebook ... you want to know how
susceptible they are to being conned into doing something that could put your
business at risk," Desautels said.
There is no simple answer to the issue of verifying identity on social
networking sites, as security researchers have demonstrated repeatedly at conferences
such as Black Hat and ShmooCon.
"In this case, what we need is reliable user reputation," said Forrester Research analyst Chenxi Wang. "Companies
like Purewire are working on a vision to provide universal user reputation, but
we still have a ways to go before universal reputation becomes a reality."
Still, several analysts agreed blocking social networking sites simply isn't practical
given their popularity. Companies with policies that are too restrictive run
the risk that employees will turn to Web proxies, blinding the enterprises
to Web traffic. There also may be legitimate reasons for marketing, human
resources or other departments to access social networks. At the end of the day,
it comes down to striking a balance between security and the needs of users.
"Maybe you want to ask employees not to list their employer on their
profile or mention the company by name (or in any other way that would easily
identify it) in postings," suggested Paul Roberts, an analyst with The 451
Group. "You might articulate a policy that discourages employees from
posting from work and couple that rule with some good education about social
Finally, Roberts advised, wait a month or two and perform an audit to
see whether employees are following company guidelines and use the results
to fine-tune the policy.
"Faced with what seem like arbitrary or overly strict policies on Web
access, I've seen even the most technologically clueless employees figure their
way around a Web gateway in no time so they can get to the content they want," he
said. "It's kind of eerie, actually."