Another Facebook Attack

You may be a champ at Mafia Wars and Farmville, but what do you know about the security risks of social media sites? "Risk awareness is where it all starts!

For example. Think about when you first created your log in with your bank or email. Common security questions are what town did you grow up in, what street, mother's maiden name, your high school, favorite teacher etc... how much of that information is on your social media sites?  Now how many friends / relatives have talked about new banking fees etc.. and you offer up your two cents with "I've been using ABC Bank forever". With a little digging its not to hard to get your information as well as your friends and family. In most cases just cloning your page is enough to get your friends to accept friend request from a cloned account and then in turn giving up all the info needed to attack them, their friends and family.

How common are scams and hacks on social networks?
In 2009, Facebook officials announced they had surpassed 300 million users. Twitter claims to have 6 million unique monthly visitors and 55 million monthly visitors. With that kind of reach, it's not surprising that criminals view these sites as a great venue for finding victims. As a result, security stories about Twitter and Facebook have dominated the headlines in the past 12 months. In one high-profile story from 2009, hackers managed to hijack the Twitter accounts of more than 30 celebrities and organizations, including President Barack Obama and Britney Spears (See: Hackers Hijack Obama's, Britney's Twitter Accounts. 

The above video is an example of FBPWN being used to gather information from a Facebook account. FBPWN is a cross-platform Java based Facebook social engineering framework, sends friend requests to a list of Facebook profiles, and polls for the acceptance notification. Once the victim accepts the invitation, it dumps all their information,photos and friend list to a local folder. Extensible module interfaces and built-in modules for advanced social engineering tricks.

A typical hacking scenario starts with gathering information from a user's FB profile. The plugins are just a series of normal operations on FB, automated to increase the chance of you getting the info.

Typically, first you create a new blank account for the purpose of the test. Then, the friending plugin works first, by adding all the friends of the victim (to have some common friends). Then the clonning plugin asks you to choose one of the victims friends. The cloning plugin clones only the display picture and the display name of the chosen friend of victim and set it to the authenticated account. Afterwards, a friend request is sent to the victim's account. The dumper polls waiting for the friend to accept. As soon as the victim accepts the friend request, the dumper starts to save all accessable HTML pages (info, images, tags, ...etc) for offline examining.

http://code.google.com/p/fbpwn/