Social Engineering on Facebook – you’re probably already a victim

by

Many people these days use Facebook (myself included).  On this social site, it’s easy to get a little more “relaxed” about what information we put in our status updates, bio information, etc.  After all, it’s only seen by our Facebook friends that we authorize, right? Let’s step back and rethink that.

Facebook logo

This week we have a guest post by Aaron Dahl.  Aaron has been a Florida-licensed private investigator for over 6 years and has specialized in surveillance and social engineering. He is also the lead investigator at Trust Investigative Group.  An emerging sector of social engineering has taken Aaron’s attention. Online social engineering has grown proportionally with the popularity of social media sites like MySpace, Twitter, and Facebook. The new social engineers will create a false identity, gain your trust, and ultimately end up with valuable personal information about you. Aaron is dedicated to researching and educating the public about the dangers that are on major social media sites. In today’s post, Aaron points out some interesting ways that Facebook can be used maliciously.

Introduction
We’ve all gotten friend requests from a person that looks vaguely familiar, but you are not 100% sure of who they are. You have mutual friends so you assume that you know them from somewhere.  Their picture looks familiar for some reason. Their profile info reveals you have similar interests. So, you add them assuming that you do know them and are just having a mental block of how you know them. You have just become a victim of social engineering!

Social engineering is the art of manipulating a person for a specific purpose. The most typical social engineering application is an undercover cop. He socially engineers his way into the criminal realm to solve a crime. A person who lures a college aged girl studying abroad into his vehicle with intentions of human trafficking is a social engineer too! A person who tricks you into being your friend on Facebook is also social engineer and may have ulterior motives.

I am a licensed private investigator and have used Facebook social engineering for a while now. The purpose that I use it for is to assist in surveillance of insurance claims. When a person gets “hurt” in a car wreck and demands money, but the insurance company is tipped off that they are not hurt, the insurance company hires my company to investigate whether the person is actually hurt.

Generally, an investigator will conduct three 8-hour days of surveillance on the person, video their activity, and write a report on his findings. If the person claims they are hurt but are not, then the insurance company obviously wants to get video of the person engaging in physical activity. The investigator could go out for 3 random days, but the person could be on vacation or sick. Or, the investigator can go out when he knows the target will be active. How can the investigator know when the target will be active? This is where Facebook (Twitter and MySpace too) comes in.

If the investigator would be able to see the status updates of the person and what they are doing, then the investigator will be able to learn more about that person and choose the days of surveillance based on the target’s activity online. He may even find incriminating evidence, such as photos or videos, of the person on his profile. So, how does an investigator become a “friend” of the target? He cannot just add that person as a friend from his own personal profile. So, he creates a very convincing and targeted fake profile. I will go through the steps that a Facebook social engineer will use to create a profile that will make the target want to hit the “Confirm Friend Request” button and give him access to all his personal information.

The Technique
So how does a person get you to give access to their profile? There are a couple of techniques that a person would use. These are just 4 of the most common techniques. There are more advanced and technical ways, but this is an overview. These are the guidelines a social engineer uses to create fake profiles that ultimately get you to push the “confirm friend” button.

Name
Most would assume a person would put a generic name like “James Smith”, but that isn’t the best idea.  A generic name raises a red flag with people. So you want a more unique name, but not so unique that a person would have remembered that name. So, don’t put Maximus Jakoniella…that’s ridiculous. You want something like Cody Williamson, Jennifer Earl or something similar—in-between generic and outlandish.

Friends
You want to have “mutual friends” when you add the target. You want the target to see that you have friends in common which will lead them to believe that they know you from somewhere. It’s best to add people from their network—schools are best. What I do is I add all of their friends.  Most of the time you can view a person’s friend list without being their friend. People are ignorant on Facebook and you would be surprised at the number of people that will accept your request without question. You will get some that are suspicious and send a message asking “who are you” but for the most part, you won’t get any static. By the way, if someone does send you a message asking who you are, tell them that you have mutual friends and thought you met them at a party, or say something like, “I want to add everyone in that _____ network.” This lowers their suspicion of you.

Profile picture
Let’s say the target doesn’t recognize your name—obviously…it’s a fake person. So, they will look at your picture(s). So how do you go about choosing a picture? One convincing technique is going to Google and typing the fake name you chose. No matter what name you choose, Google will find a person with that name. For example, I typed in Cody Williamson and apparently there is a Cody Williamson and he is on MySpace. There are a couple of pictures of him which is good to add to your fake profile to add credibility. This way, if a person goes to Google and types in that name, those pictures come up and give your profile more credibility. Stay away from professionally shot images, stock images, and obviously celebrities. You want pictures that look like the millions of other profiles out there.

profile pictureI would also recommend a picture in which the person is not looking directly into the camera, which forces the person viewing the picture to use their imagination. The principle of self-fulfilling prophecy is your best weapon here. If you make the picture ambiguous, have mutual friends, and a vague name, the person is going to assume they know you and then try to connect the dots. The “Cody” I looked up had a picture where he was looking away from the camera, so all you can tell is that he has short, curly brown hair.

The target you are adding will try to think when they saw a person with short, curly brown hair and probably place you somewhere in their mind. However, if you put a profile picture that revealed facial features, then the person may think, “well, I saw a kid with short, curly brown hair, but his face didn’t look like that.” Also, if you add a picture of an attractive person, the target will try even harder to find a connection with you and they will be more apt to add you. It’s human nature. You want to play off self-fulfilling prophecy and their imagination.

Profile Information
You want to add some specific information on your profile information and not just general stuff. You should join the network that the target is in. You should add activities, tv shows, and ambiguous status updates to add credibility to your profile. You may even want to add a couple applications to add to the whole effect too.

Conclusion
With a good name, picture, friend selection, and profile information, your target will almost always add you as a friend. Once you have them as a friend, then you have access to all their information including status updates which can reveal sensitive information.

Application
So, beware of suspicious people adding you as a friend and watch out for the red flags. I use it for insurance fraud, but there are a lot of evil reasons why other people would want to use it including stalking, human trafficking, burglaries, and spammers that will sell your personal information. Also, employers may use these tactics to keep an eye on their employees.

This week’s video…you may have seen Jackie Evancho perform on television, on a show like “America’s Got Talent”.  This kid has an amazing singing career ahead of her, and she is only 9 years old.

Safety Harbor FL computer repair

Share this post

8 comments Add your comment »

Get updates when new comments are added. Subscribe to the comments RSS Feed

Rhonda Conway
April 5th, 2010

Now lots more people will have the information they need to access FB accounts. Huh???

Aaron Dahl
April 5th, 2010

Hi Rhonda, I am the author of the article.

Thank you for commenting on this article, it is good to see people reading this. I hope you are more knowledgeable after reading this and won’t become a victim.

The criminals are already privy to these tactics. The people that are ignorant are the potential targets. The reason I wrote this article is to educate you in what to look for so you don’t end up with a stolen car and ask, “how did this happen?”. Knowledge is power.

Everyone knows that the typical bank robber will use a gun. Therefore, banks put up bulletproof barriers. If this wasn’t common knowledge, a lot of banks would be robbed by armed criminals. Criminals don’t rob banks with guns anymore (Well, except for the morons), because banks anticipate it.

If you teach someone how to catch a liar, you have to study what a person does/says when he is lying, which would in turn, teach the student how to lie. Therefore, a book on “How to catch liars” could also be a book on “how to lie”. However, those books don’t necessarily help a liar, it really helps the one being lied to. Writing about how a person hacks your facebook account isn’t going to increase this type of activity, because it’s already in full force. However, it will educate the potential victims. It’s all in how you look at it.

Does that make sense?

Joyce
April 5th, 2010

I’m always amazed at just how ignorant people can be when it comes to traps such as these. I NEVER add a person as a friend unless I know them personally. I also have “friends only” as my options for seeing my wall and pictures. I know the latter isn’t foolproof, but accepting someone who “might” know you is ridiculous. Come on people. Where is your common sense?

Donna Rutherford
April 7th, 2010

The person who is the fraud here is ” Paula Schmid.” I had ignored this name and kept deleating it everytime it came up, but this person was very persistent and just kept pushing this name, so i added it thinking it was someone I knew. I found out from a friend in Florida, this is NOT the case. I need help here please.-Denise

Scott Johnson
April 7th, 2010

It’s true – one of the friend requests I received was from “Paula Schmid”. There were some mutual friends between us, and her college information said that she went to the same school from which I graduated. However, when I contacted each of our “mutual friends”, none of them knew her either. And now, her profile info lists a different college. Pretty clear case of deception. I have contacted the people that I know that were tricked by her, but she has a total of 256 friends right now and I can’t message all of them.

281-Donna Rutherford
April 7th, 2010

It is true ” Paula Schmid ” has listed many of my friends as her friends as well. i’m not sure about someone called ” Gee Zee” either. You might also want to look at that.

Christine Russell
April 15th, 2010

This was really helpful! I’ve received 2 spam friend requests through facebook. I looked, and they already had several of my friends as their friend and had listed their college as the same college I graduated from. I felt bad that I didn’t recognize their name. The one I had simply not accepted, and then the other I accepted because of the amount of my friends who were already friends. I went right to this fake person’s page only to find on their wall a message from our college warning that this person was a scam which led me to this article. Needless to say, I immediately removed them from my friends and also reported their profile as being a fake.

Thanks for this much needed insight and warning!

Cori
February 14th, 2012

so what if someone does this to you and assumes the ID of one of your friends and family members (who is metally handicapped) and one of their victims is a child….what if you know who this person is and it’s only to stalk you…and spy on you and your family…what if it is only to terrorize you for the last 2 yrs and to continue to do so….and they keep turning off and on the account as they want access to you, just to keep you from noticing the accounts or blocking them….then what???? Then do you call this action a crime???? I know about 56 people who think it is.