Many people these days use Facebook (myself included). On this social site, it’s easy to get a little more “relaxed” about what information we put in our status updates, bio information, etc. After all, it’s only seen by our Facebook friends that we authorize, right? Let’s step back and rethink that.
This week we have a guest post by Aaron Dahl. Aaron has been a Florida-licensed private investigator for over 6 years and has specialized in surveillance and social engineering. He is also the lead investigator at Trust Investigative Group. An emerging sector of social engineering has taken Aaron’s attention. Online social engineering has grown proportionally with the popularity of social media sites like MySpace, Twitter, and Facebook. The new social engineers will create a false identity, gain your trust, and ultimately end up with valuable personal information about you. Aaron is dedicated to researching and educating the public about the dangers that are on major social media sites. In today’s post, Aaron points out some interesting ways that Facebook can be used maliciously.
We’ve all gotten friend requests from a person that looks vaguely familiar, but you are not 100% sure of who they are. You have mutual friends so you assume that you know them from somewhere. Their picture looks familiar for some reason. Their profile info reveals you have similar interests. So, you add them assuming that you do know them and are just having a mental block of how you know them. You have just become a victim of social engineering!
Social engineering is the art of manipulating a person for a specific purpose. The most typical social engineering application is an undercover cop. He socially engineers his way into the criminal realm to solve a crime. A person who lures a college aged girl studying abroad into his vehicle with intentions of human trafficking is a social engineer too! A person who tricks you into being your friend on Facebook is also social engineer and may have ulterior motives.
I am a licensed private investigator and have used Facebook social engineering for a while now. The purpose that I use it for is to assist in surveillance of insurance claims. When a person gets “hurt” in a car wreck and demands money, but the insurance company is tipped off that they are not hurt, the insurance company hires my company to investigate whether the person is actually hurt.
Generally, an investigator will conduct three 8-hour days of surveillance on the person, video their activity, and write a report on his findings. If the person claims they are hurt but are not, then the insurance company obviously wants to get video of the person engaging in physical activity. The investigator could go out for 3 random days, but the person could be on vacation or sick. Or, the investigator can go out when he knows the target will be active. How can the investigator know when the target will be active? This is where Facebook (Twitter and MySpace too) comes in.
If the investigator would be able to see the status updates of the person and what they are doing, then the investigator will be able to learn more about that person and choose the days of surveillance based on the target’s activity online. He may even find incriminating evidence, such as photos or videos, of the person on his profile. So, how does an investigator become a “friend” of the target? He cannot just add that person as a friend from his own personal profile. So, he creates a very convincing and targeted fake profile. I will go through the steps that a Facebook social engineer will use to create a profile that will make the target want to hit the “Confirm Friend Request” button and give him access to all his personal information.
So how does a person get you to give access to their profile? There are a couple of techniques that a person would use. These are just 4 of the most common techniques. There are more advanced and technical ways, but this is an overview. These are the guidelines a social engineer uses to create fake profiles that ultimately get you to push the “confirm friend” button.
Most would assume a person would put a generic name like “James Smith”, but that isn’t the best idea. A generic name raises a red flag with people. So you want a more unique name, but not so unique that a person would have remembered that name. So, don’t put Maximus Jakoniella…that’s ridiculous. You want something like Cody Williamson, Jennifer Earl or something similar—in-between generic and outlandish.
You want to have “mutual friends” when you add the target. You want the target to see that you have friends in common which will lead them to believe that they know you from somewhere. It’s best to add people from their network—schools are best. What I do is I add all of their friends. Most of the time you can view a person’s friend list without being their friend. People are ignorant on Facebook and you would be surprised at the number of people that will accept your request without question. You will get some that are suspicious and send a message asking “who are you” but for the most part, you won’t get any static. By the way, if someone does send you a message asking who you are, tell them that you have mutual friends and thought you met them at a party, or say something like, “I want to add everyone in that _____ network.” This lowers their suspicion of you.
Let’s say the target doesn’t recognize your name—obviously…it’s a fake person. So, they will look at your picture(s). So how do you go about choosing a picture? One convincing technique is going to Google and typing the fake name you chose. No matter what name you choose, Google will find a person with that name. For example, I typed in Cody Williamson and apparently there is a Cody Williamson and he is on MySpace. There are a couple of pictures of him which is good to add to your fake profile to add credibility. This way, if a person goes to Google and types in that name, those pictures come up and give your profile more credibility. Stay away from professionally shot images, stock images, and obviously celebrities. You want pictures that look like the millions of other profiles out there.
I would also recommend a picture in which the person is not looking directly into the camera, which forces the person viewing the picture to use their imagination. The principle of self-fulfilling prophecy is your best weapon here. If you make the picture ambiguous, have mutual friends, and a vague name, the person is going to assume they know you and then try to connect the dots. The “Cody” I looked up had a picture where he was looking away from the camera, so all you can tell is that he has short, curly brown hair.
The target you are adding will try to think when they saw a person with short, curly brown hair and probably place you somewhere in their mind. However, if you put a profile picture that revealed facial features, then the person may think, “well, I saw a kid with short, curly brown hair, but his face didn’t look like that.” Also, if you add a picture of an attractive person, the target will try even harder to find a connection with you and they will be more apt to add you. It’s human nature. You want to play off self-fulfilling prophecy and their imagination.
You want to add some specific information on your profile information and not just general stuff. You should join the network that the target is in. You should add activities, tv shows, and ambiguous status updates to add credibility to your profile. You may even want to add a couple applications to add to the whole effect too.
With a good name, picture, friend selection, and profile information, your target will almost always add you as a friend. Once you have them as a friend, then you have access to all their information including status updates which can reveal sensitive information.
So, beware of suspicious people adding you as a friend and watch out for the red flags. I use it for insurance fraud, but there are a lot of evil reasons why other people would want to use it including stalking, human trafficking, burglaries, and spammers that will sell your personal information. Also, employers may use these tactics to keep an eye on their employees.
This week’s video…you may have seen Jackie Evancho perform on television, on a show like “America’s Got Talent”. This kid has an amazing singing career ahead of her, and she is only 9 years old.