Late in 2011, Max Schrems asked Facebook for a profile the social networking company assembled based on his posts, likes and friends. Max received a 1200 page PDF file with lots of personal details. Being a law student, understandably, Max examined the information from a privacy perspective. But what about security? We examined the content from Max’s report and asked:
- What Facebook data do hackers find interesting (part I)?
- How can hackers go about and obtain that data (part II)?
In the first of this two-part series we’ll tackle each question respectively. But before we do, some background on personal information and social media:
- Facebook contains much more data than most people realize. Again, Max Schrems got a 1200 page document from Facebook. Max noted that the document contained not just a lot information about him—but on his friends as well.
- Not all of the user’s private data is directly accessible to the user. Although some of the information is accessible via the application (a user can view their pictures, wall, and so forth), some of the data is not as accessible. For instance, dynamic data (such as unsaved chat logs) or geo info (such as IP addresses) are not typically retrieved. These are the things that Max, an EU citizen, requested to receive. Facebook, complying with EU regulations, obliged Max with all of his “inaccessible” data.
So what data does Facebook contain? It is a treasure-trove for information diggers since it contains:
- Personal Identifiable Information (PII) as well as general personal information. Included in this category are date of birth, home address and even the mother’s maiden name (and yes, some banks still use this information as an identifier). Even social security numbers can be extrapolated from many Facebook profiles, as shown by researchers at Carnegie Mellon University.
This type of data can be used for various purposes. With enough gleaned information, a hacker can even gain control of the user’s other online accounts. For example, using the “Forgot Password” feature which exists in many systems. This feature requires people to identify themselves by supplying an answer to a pre-determined personal question, such as the name of the user’s dog. An information digger can retrieve that type of info from the individual’s Facebook profile (click to BIGGIFY):
Hackers can also use this information to create more credible phishing emails. The email may contain a personalized message requesting that the user click on a link which actually refers to an attacker-controlled site, or even download a malware-laden file.
Hackers can also use this information for extortion purposes. A student in Pennsylvania, for example, was told by hackers that they would post a private video of online unless he wired $500 to a man in Morocco.
Finally, professional identity thieves can use much of this data to build a better profile of the victim.
- Passwords. Although this may also be considered PII, we found it reasonable to include it as a separate section due to its sensitivity. Gaining access to the victim’s account ultimately gives the hacker the knowledge and control over the user’s password. Consumers are notorious for using the same password across multiple sites, and the Facebook password may just as well be the same password to other online services. In effect, allowing the hacker to impersonate the users to other services.
- Friend-Mapping. Facebook is all about “Friends”. From a hacker’s perspective, this means that getting hold of a victim’s account will also provide the knowledge of the user’s circle of friends. Once in a circle of friends, a hacker posing as a trusted friend can cause mayhem:
- This allows hackers to create better scams (aka “419 scams”). For example, a message could seem to come from a friend requesting the transfer of monetary funds (“This is your friend, Tom. I am stranded in the middle of Paris with no money”). These phishing messages could be similar to those described above - containing links to malware or include malware-laden files. Since they purportedly come from the victim’s friend, the victim may be more susceptible to follow those links.
- Through friends-mapping, a hacker can also gain enough personal information on the user which can also be used for extortion purposes. For instance, MIT researchers released a piece of software which can determine a user’s sexual orientation according to their circle of friends. Many raised the implications of this to the outing of closeted individuals. The same approach could be applied to race or religion.
- Organizational structure. Similarly to friends-mapping, hackers can analyze the interleaved connections between individuals and analyze them in order to map out the structure of members of different organizations – as well as units within the organization. This is a stronger concern with other social networks, such as LinkedIn. However, this type of mapping can also be applied in Facebook, especially with businesses adopting “Fan” pages. The organizational structure can be used for corporate espionage, foreign-government and even military intelligence.
- Business plans. As a professional social network, LinkedIn provides a hotbed for competitive intelligence. But even Facebook provides enough info which is usable for competitive intelligence. In fact, different companies exist which offer exactly this kind of service. Users can follow what their competitors are discussing and what conversations they are participating in.
- Geo location information. Through geo-location information, a hacker can build a profile of the victim’s whereabouts. There were cases where law enforcement agencies actually were able to use this type of information to find and capture fugitives. Geo location data is all together more valuable when cross-referencing it with the organizational structure. This can be very useful, say, to gain military intel on the location of the adversary’s military units. In fact, last year an IDF operation was cancelled following a soldier’s status update of the operation’s time and location.
Who then are the hacking groups who would attempt to use or hack Facebook?
- Private hackers: This is your regular hacking for profit types. They just want to make money by duping consumers. As such, their focus is more on gleaning PII and passwords. Private hackers have also been known to perform extortion. Here's an example of one hacker who is trying to build a business hacking Facebook (click to BIGGIFY):
- Government-sponsored hackers: These hackers work for governments with the purpose of advancing some national agenda. They may use Facebook data for military intel purposes, uncover dissidents, and squashing dissention.
- Corporate-espionage hackers: These hackers may work for a certain organization or independently. The independent hackers may attempt to glean sensitive business information over time and then sell it to interested competitors. These hackers are mostly focused on corporate structure, business plans, and gaining enough information which will lead them to access other accounts (for you Girl With a Dragon Tattoo fans, think Lisbeth Salander).
- Hactivists: So far, hacktivists have used Facebook as a means of communication as opposed to a resource for taking data. For example, Anonymous claims to have taken some “revealing” photos of BART spokesperson Linton Johnson from Facebook. As hacktivism evolves, this will likely change. For example, we could see Facebook data exposed by hacktivists designed to embarrass individuals or an organization.