Facebook, A Spear Phishers Dream, Says Network Box

Published 4th January 2008

4 January 2008, London – The popular social networking site Facebook is wide open to spear phishing, and company CEOs and Finance Directors should be alert, according to managed security company Network Box. In a recent experiment the company managed to gain vital information about individuals by passing themselves off as old school friends. The company warns that these security flaws could be easily exploited by ‘spear phishers’...

Simon Heron, Managing Director, Network Box explains: “We were asked to see if we could gain information about individuals without having a real-life link to them. We used a fake webmail account to create a fake Facebook account. With this we approached individuals who we knew to be in quite senior positions of employment and simply asked to be their friends, explaining that we knew them while at school.

“Several of our targets accepted our requests, which gave us access to their profiles. Once there we found personal details including: dates-of-birth, mobile phone numbers, home addresses, company name and job titles, and even one’s mother’s date of birth. With these details alone criminals could have enough to fill out a loan application on their behalf.”

However, it’s the more targeted spear phishing, where specific company is targeted with phishing emails, that Facebook leaves the individual open to. Heron explains: “The details we found out can be used for spear phishing. If we wanted to go spear phishing, knowing your prey has money is key, as well as how to target them. If you know they are a CEO or FD then you know they will be vulnerable about getting complaints about the company. We can then target them to download documents with malicious code embedded or get them to visit an infected site.”

Keeping personal and company information off these social networking sites is the only way to keep from being targeted. Heron adds:” Any con can be a lot more successful if the con artist has personal information about the target.”