Sunday, July 22, 2012

Social Engineering Social Networks - How I Will Be Your Friend

Introduction

As detailed in a previous post, social engineering is a common, yet effective, tactic used by attackers that involves "manipulating a person to accomplish goals that may or may not be in the “target’s” best interest." This usually results in the attacker gaining unauthorized access to systems, areas, or information that would otherwise be unavailable. However, while it was briefly mentioned, we didn't really discuss the opportunities available for an attacker or pentester by utilizing one of the most common goldmines of information available today: social networks.

Almost everyone has one or more social networking profiles on one of the major social networking sites (Facebook, Twitter, LinkedIn, Google+, or Myspace), including high-value targets for a social engineering engagements (e.g. "C-level execs", President's, VP's, etc.). These profiles include information that can be critical to a social engineer when crafting the most effective spear-phishing email possible, obtaining answers to secret questions to gain access to systems, or when harvesting data that can be used in further targeted attacks. In this post, we'll look at how to utilize our social engineering skills to methodically "befriend" employees in order to quickly gain access to specific targets.


The Objective

There is a ton of information to be gleaned from a target's social networking profile. Information such as past education and experience, hobbies and interests, other connections, etc. can be used to a social engineer's advantage.

Unfortunately (for the social engineer), social networking sites provide privacy settings for users to granularly configure who in their "connection network" has access to what data. These settings introduce the primary objective for a social engineer - how to get into the target's connection network. 
There are quite a few vectors of attack that can be used to gain access to a target's social network. The first, and most obvious (assuming the target has privacy settings configured correctly), would be to simply send a friend request to the target. While this may work (and will be used in later attack vectors) if the target is more than slightly cautious about who has access to their information, they will likely deny the request. We therefore need to rely on our social engineering techniques to make our friend request to the target seem appealing and believable enough for them to accept it.

Vector 1: Clone an Existing Friends Social Networking Account


When privacy settings are available and configured correctly, we must resort to other means to get a foothold into the target's social network. For the rest of the article, it will be helpful to consider the degree of mutual friendship someone has with the target. Someone who is directly connected to the targets social network will be considered to have a "1st Degree" friendship. Then, friends of this friend will have a "2nd Degree" friendship, and so on.

As mentioned, it is likely that the target may have correctly configured privacy settings. However, it is also likely that one of the many "1st Degree" friends of the target has not. With this being the case, the attacker can clone the contents of the friend's profile, and then use social engineering to send a message to the target, purporting to be friend. The message could be simple, saying something along the lines of:

"Hey,

Old account got hacked, so I made a new one."


This process would look something like the following:


Fig. 1: Cloning profile of friend in target's social network

It's surprising how many people will see a familiar picture, possibly even briefly check out the profile (in which all the details are correct), and accept the friend request. In fact, since the message implied that the account is new, the social engineer need not worry about having any mutual friends setup (see below for an attack vector that uses this method).

The downside to using this vector is that it can be very tedious trying to clone all of the details from one account, as well downloading (and subsequently uploading) profile pictures, etc. There is a Java based tool called fbpwn that can automate this process for you. Commits for this tool appear to have last been in May 2012, so the tool is still being maintained by it's author.

However, there are times where the target will not fall for this, and will likely deny the request. Instead of trying with a different profile (which will likely also be declined), we must use a different vector of attack.

Vector 2: Building an "N-Degree Web of Trust"

Another downside to cloning one of the target's close contacts is that the contact may notice the duplicate account being added to the target's social network, and notify him/her. While this will likely not affect the initial information gathered since it is assumed the details of the target's account will be copied very quickly, it may alert the target to the social engineer. One of the crucial aspects to performing a successful social engineering engagement (just like any Penetration Test) is limiting detection. Our goal is for the target to have little or no idea he/she was ever social engineered. We therefore consider a different strategy which can make the attacker seem trusted, even though the target may have never met him/her before.

One of things on which social networks have come to thrive is the aspect of mutual friendship. This is the idea of building connections with friends of friends.  Basically, the idea is that the more mutual friends one has in common with the target, the more likely the target will be willing to trust that he/she knows this person, or at least that this person would be a good contact to have, and will therefore be more likely to accept the connection request.

As a social engineer, we will use this to our advantage by creating a "web of trust." The idea behind this vector of attack is simple: get as many mutual friends as possible with the target. 


Fig. 2 - Building a Web of Trust
As shown above, we can start multiple degrees away from the final target, and "work our way up," having multiple short term targets in the process. However, the more mutual friends with the target we are able to obtain in the long run, the greater chances our request to join the target's social network will succeed. In fact, we can make this more effective by incorporating simple social engineering techniques in our final request by sending a short message about how the target knows us, using information we have gained through passive reconnaissance. Of course, this will be false information, but it can be believable enough to not cause any alarm. Consider the case where we find an announcement on the company website about the company picnic that happened a few days prior. We could then construct a simple message such as:

"Hey,

It was great to meet you at the picnic!" 

Just like that, the target could very well think that he/she has simply forgotten our "talk" with him/her, and that since we have so many mutual friends within the company, our story is likely true, and accept the request.

Conclusion

Hopefully this post has helped to illustrate two successful techniques for gaining access to a target's social network. Having this access provides a goldmine of information that can be used immediately (consider "secret questions" for websites, or building a wordlist for password brute-forcing) or later in further information gathering, pretexting, or attacking portions of the engagement. Both of these techniques can be used either separately or together depending on the scenario.

It should be noted that there are many other techniques that can be used either instead of, or in addition to, the techniques outlined above. If you know of any good ones, let me know in the comments below!

- Jordan

No comments:

Post a Comment