Those Facebook Posts Are Social Engineering Gold Mines, Stop Answering Them
Remote work, distance learning, isolation, quarantine or whatever other terms you want to place on the current situation, socializing digitally is the new norm. Social networks are truly the lifeblood of staying in communication with friends, family, and co-workers. This also introduces new risks to each individual’s security posture with what kinds of information they are freely sharing.
There is a disturbing trend on Facebook right now. On the surface, to the untrained eye, the post is harmless, silly questions about a person. To a security professional, it’s a treasure trove of personal information that can be used to social engineer each person.
There are few posts in question. Here what they are, why you should not participate and how that information could be used against you.
Posting your senior high school picture. A post that has a list of 20+ questions ranging from maiden names, high school graduation years, cities you lived in, pets names, kids names, etc… Posts about your favorite things.
On the surface it’s people socializing like they would in person. However, on Facebook and other social networks you are posting it for everyone to see. In addition, if you don’t have your settings set correctly you could be posting it for the whole Internet to see.
So what? What if a stranger knows what year I graduated High School?
Social engineering is collecting data about you that can be used to compromise your existing accounts through Forgot Password security questions, generating passwords with known information or creating new fake accounts with your identity data.
A High School graduation year begins to pinpoint your age. Within 2 years I know your birth year, 17 to 18 years old as a senior in high school narrows it down quickly. With that, I can find your graduation list easily through public sites. I can get women’s maiden names. Hometown where you lived. Mascots, Sports you played. Cross-reference your friend lists to find high school friends you are still connected with.
A seemingly benign year and I can get a dozen or more identity attributes about you and slowly build a profile on you.
Again, so what?
As a hacker I can take those attributes and put them into a tool like John The Ripper. That tool will take 50 innocent words and numbers about you and generate 100,000+ passwords using combinations from them… in seconds. Unless you are using a password manager and uniquely creating complex passwords, most people generate passwords from what that know. Combining words and numbers into a string they think is complex. Which is might be, but if I can collect the data you used to do that, I can make my own and greatly increase the chance I will generate the right one.
In addition, I have one word it may be useless but if I have 50 useless words put together I have a profile that could be used to figure out your security questions for a website or service you use.
I have no doubt that these Facebook posts like that these are started by social engineers. Innocent to the layman but valuable to the nefarious.
The last avenue of how this data could be used is the business model of Facebook itself. Selling it to advertisers. All that specific data you voluntarily put out there is mined and dumped into highly sophisticated machine learning systems to pump out targeted profiles for ads. No matter your privacy settings, your data is still with Facebook.
Socialization is more important than ever but the fads and trends that seem cute and fun to relive old memories can actually be used in more ways that aren’t so cute.
Be aware, be safe.