Using Facebook to Social Engineer Your Way Around Security

A penetration test by Netragard at an energy company highlights how hackers can use Facebook, LinkedIn and other social networking sites as part of phishing schemes. In the test, Netragard used social engineering to get its hands on information that could have been used to compromise critical systems at the company. Addressing this security issue means having smart policies about what employees can and cannot do on the Web.

The most important part of an attack isn't always a vulnerability; sometimes it's the user's trust.

This was certainly the case during an authorized penetration test at an energy company conducted by security vendor Netragard. Looking for a way inside the customer's defenses, the vendor turned to Facebook. Testers built a profile claiming to be of an employee of that company, bolstered it with information on work experiences taken from actual employees of the energy company and began "friending."

What the Facebook "friends" didn't know was that this was all part of a long con-a bit of social engineering used to lull the employees into giving up their credentials more easily. The simulated attack underscores both the importance of having sound policies on employee use of sites like Facebook, LinkedIn and MySpace and the challenges of authenticating users on the Web.

"Before the advent of social networks, criminals were able to access your employees through things like spam, or maybe they could call them up and social-engineer them," said Adriel Desautels, CTO of Netragard. "But sites like Facebook and MySpace and LinkedIn and all these different sites [give] criminals the ability to bypass just about any security technology you have in place and gain direct social access to your employees."

Trust is the name of the game when it comes to phishing. For Netragard, that meant doing a bit of reconnaissance. It turned out that a little more than 900 of the customer's employees were using Facebook. Since most were men between the ages of 20 and 40, Netragard chose the picture of an attractive 28-year-old female for its profile and began building up a list of friends.

The next step was to make use of a cross-site scripting bug on the customer's Web site to deliver a payload that would render a legitimate-looking HTTPS-secured Web page that appeared to be part of the customer's Website. After conversing with real employees on the site for three days, Netragard posted on the Facebook profile a link to the rogue Web page with a message claiming the customer's site may have been hacked.

Users who visited the page were asked to verify their employee credentials-which were promptly sent to and extracted via an automated tool the company created. The bounty included credentials that would have allowed Netragard to access the majority of systems on the network, including the Active Directory server, the mainframe and the pump control systems.

"If your employees are using Facebook ... you want to know how susceptible they are to being conned into doing something that could put your business at risk," Desautels said.

There is no simple answer to the issue of verifying identity on social networking sites, as security researchers have demonstrated repeatedly at conferences such as Black Hat and ShmooCon.

"In this case, what we need is reliable user reputation," said Forrester Research analyst Chenxi Wang. "Companies like Purewire are working on a vision to provide universal user reputation, but we still have a ways to go before universal reputation becomes a reality."

Still, several analysts agreed blocking social networking sites simply isn't practical given their popularity. Companies with policies that are too restrictive run the risk that employees will turn to Web proxies, blinding the enterprises to Web traffic. There also may be legitimate reasons for marketing, human resources or other departments to access social networks. At the end of the day, it comes down to striking a balance between security and the needs of users.

"Maybe you want to ask employees not to list their employer on their profile or mention the company by name (or in any other way that would easily identify it) in postings," suggested Paul Roberts, an analyst with The 451 Group. "You might articulate a policy that discourages employees from posting from work and couple that rule with some good education about social networking hygiene."

Finally, Roberts advised, wait a month or two and perform an audit to see whether employees are following company guidelines and use the results to fine-tune the policy.

"Faced with what seem like arbitrary or overly strict policies on Web access, I've seen even the most technologically clueless employees figure their way around a Web gateway in no time so they can get to the content they want," he said. "It's kind of eerie, actually."