Posts
(Ars Technica) If there's any doubt how social networks have presented hackers with a wealth of social engineering tools, a Brazilian security researcher recently demonstrated how he could "friend" even allegedly more wary Facebook users in less than 24 hours. At the Silver Bullet security conference in São Paulo, UOLDiveo chief security officer Nelson Novaes Neto showed how he leveraged LinkedIn, Amazon, and Facebook to convince a target—a Web security expert he called "SecGirl" using social engineering.
Novaes created a fraudulent Facebook account, "cloning" the identity of the manager of the target. He then sent friend requests to friends of friends of the manager from the cloned account—sending out 432 requests. In just one hour, 24 of those requests were accepted, even though 96 percent of them already had the legitimate account of the manager in their contact list. He moved on to 436 direct friends of the manager, using his connections from LinkedIn—getting acceptances from 14 of them in an hour. Seven hours into the experiment, his cloned account's friend request was granted by SecGirl.
With the information obtained by friending someone, it's possible, Neto said, to then take over a legitimate Facebook account using Facebook's "Three Trusted Friends" password recovery feature. Through the password recovery tool, a hacker can change both the password and the contact e-mail address for an account. The hacker could then... Read full story at Ars Technica
