Social Network Hacking
Posted by Gunter Ollmann on August 08, 2007 at 10:50 PM EDT.

A couple of weeks back I stumbled upon some news postings about the use of MySpace and Facebook in successful identity theft crimes.

Without filling up a paragraph with links to the various news stories themselves, I’ll sum it up as basically as I can.  The victims had lots of personal information on their profiles – address details, contact details, birth dates, travel information, past schools, cats & dogs names, etc. – and this information was leveraged by criminals for fraudulent purposes.

OK, being more verbose by way of an example, Jane Doe goes in to a restaurant and pays for her dinner with her credit card.  That credit card is skimmed (and later carded), and her details recorded.  The card details are passed to another criminal who then logs in to MySpace and finds Jane Doe’s personal page.  He subsequently uncovers her date of birth, the city she was born in, the High school she went to and a photo of her car complete with license plate (the photo was taken with her boyfriend when they went to the E3 conference this year).  Armed with this information, the criminal phones up her bank saying that “she” has forgotten her password and PIN number, but the bank can validate her because she was born April 4th 1980 and her recovery password is “MacCallan” – the name of her Irish Setter.

Pretty easy really - with a little imagination and a pinch of social engineering, identity theft can be a piece of cake (just ask Odysseus about his carpentry idea).

Passive Information Gathering

A few years ago I released a whitepaper covering the first phase of a penetration attack – passive information gathering – and the methodology it describes is probably more relevant today than it was back then (it’s more important today because external facing systems are better patched than they used to be, so it pays to get “personal”).  In a world of personalized attacks, spear phishing, whaling, and identity theft, passive information gathering can greatly increase the odds of success.

So, with that in mind, I thought I’d experiment with the various social network websites to see how they could be used as part of a professional hack.  Now obviously, if I was interested in some simple “spur of the moment” identity theft, I’d just trawl through one of the social networking sites and grab the first personal page that contained all the information I’d need to hijack their identity – but that’s too simple.

How would it work if I was, say, interested in hacking in to a medium sized publicly traded company?  How about if I was to pick another security company like… well, perhaps I’ll keep their name anonymous because, for all intents and purpose, it could really be any organization…

Phase One: Who’s Who?

While it would be pretty easy to just Google by domain to uncover email addresses of users at the target company and then harvest their full names, the first social network I’ll try instead is LinkedIn (a business centric social networking and contact management site).

Using LinkedIn, you can search by company…

…and my target company revealed 50+ interesting employee profiles.  Lots of information about current positions, what they’re doing, what they’re responsible for, past jobs, the schools they went to, their degrees and the years they obtained them, and also several links to their personal websites.  Some of the profiles included details of products they have worked upon and their key skills.  A lot of the profiles also list their business connections (you can block this, but most people don’t) – so you can see who their friends are, who they do business with, and who their customers are likely to be etc.

Not a bad start.  Within 20 minutes I’ve got a pretty good understanding of the hierarchical structure of the organization – who’s who – and just as importantly, who knows who.  A little more poking about using names gained from the company register and public tax filings and I have several more LinkedIn profiles related to the company directors and key investors.  I’ve also got a long list of names, email addresses, school names and personal websites I can spider and leverage later.

Phase Two: Who Are They?

Armed with a who’s who, phase two revolves around finding out who they really are – what makes them tick, are there any juicy details, etc.

Now, just so you know, there are LOTS of social networking sites – in fact, just check out Wikipedia for a list of the better known ones.  But, for this exercise, I decided to trawl just the Top-5 – which are MySpace, Facebook, Bebo, and Xanga (according to Hitwise).

First off Facebook was a waste of time.  They have several restrictions in seeing peoples profiles and their search engine leaves a lot to be desired (from an attackers perspective) – not to mention the fact that you actually have to build your own list of contacts through an opt-in process, so you can't readily "browse" profiles.  Since I wasn’t about to invest that much time in this exercise, I bailed from the site pretty quickly.  Pity – word on the street that Facebook is pretty good for trawling for personal information.

Next off was  It only revealed a few erroneous details about one person on my list from LinkedIn – and only a couple of those were more than what I could have gotten already.  So, not particularly useful in this test.

The remaining three – MySpace, Bebo and Xanga – all yielded some pretty interesting stuff (I’ll cover them together because, apart from some generic layout differences, you’d be hard done by if you had to differentiate between each of them).  About a dozen of the people from the LinkedIn list had their own pages on at least one of these sites.  Details trawled back from the sites included birth dates, address details, favorite books/movies/authors/characters, instant messenger ID’s, personal blogs, where they went to on holiday and which hotels they stayed at, etc.  Basically, most of the information you’d need to hijack their identity and open a few financial accounts etc.

Some of this information led to the uncovering of various spouse’s profiles, along with some of their children and, in two cases, their parents… which invariably led to lots of other personal information being leaked about them, along with their habits.  And, since these are social networking sites, I could also pick through their listed friends and, doing so, uncovered another 20+ work colleagues to add to my list.

Phase Three: The Attack

Well, phase three would be about actually using the data to launch an attack – and I’m not about to do that. Sorry to disappoint, but read on anyway.

There were plenty of attack vectors that could have been oh-so-easy to engineer.  Whaling would have been trivial – especially with details of their key contacts and business exchanges.  Targeting multiple people with very personal email scams would have taken a few minutes – emails that appeared to come from a close friend with a few attached “photos” from last weeks party down at the lake etc. (malicious code of course).

If you wanted to get more insidious, merely presenting some of the facts that were found – such as personal address details, details of their family and children and slanted references to activities in their personal blogs – would cause a lot of unease, distract these people from their normal jobs, and raise some concern about their physical well-being.

From the other side of things, by mapping out the organization – who’s who, their skills and responsibilities, as well as a lot of CV’s – this information could be sold on to recruiters or other agencies.  For example, supposedly the going rate for knowing someone’s name, age, address and socio-economic band is about $50.  Add to that the names of their entire family, household income, where they like to holiday and the fact that they’re looking to buy a new car – well, I’m pretty sure that’s worth even more money to someone else.  Actually, I wonder how much it’s worth knowing their address and that they’re going on holiday for 10 days starting Saturday, and that their house will be vacant the whole time?

One last thing I find amusing.  Public blog entries discussing how sections of code the person wrote late last year for the company probably infracts upon a competitors patent and how he warned them at the time… well, that’s just plain dangerous.  You’ve gotta love social networking sites ;-)

Update Aug 9th, 11:00am:

I was asked a couple of times whether this class of information harvesting and attack has some specific name.  I'm pretty sure it doesn't have one already, but I figured it probably should.  And, since this closely relates to Phishing and that class of technical social engineering, I'd propose the name "Shucking" for the time being.

Definition of "Shucking" - Based upon the technique of opening oyster shells to reveal this fruit of the sea, Shucking is the process of obtaining confidential and personal information about an intended target for Spear Phishing or Whaling attacks from public sources - typically conducted in a passive manner.  By lifting the lid and looking under the covers of various social networking and blogging sites, an attacker can enumerate many (if not all) details that will personalize their identity theft attack and raise the likelihood of success to near 100%.


    Copyright 2001-2007 © Gunter Ollmann