8.3 Impersonation on Social Networking Sites
Social Engineering Through Impersonation on Social Networking Sites
- Malicious users gather confidential information from social networking sites and create accounts in others' names.
- Attackers use others' profiles to create large networks of friends and extract information using social engineering information using social engineering techniques.
- Attackers try to join the target organization's employee groups where they share personal and company information.
- Attackers can also use collected information to carry out other forms of social engineering attacks.
Social Engineering on Facebook
- Attackers create a fake user group on Facebook identified as "Employees of" the target company.
- Using a false identity, attacker then proceeds to "friend," or invite, employees to the fake group "Employees of the company"
- Users join the group and provide their credentials such as date of birth, educational and employment backgrounds, spouses names, etc.
- Using the details of any one of the employee, an attacker can compromise a secured facility to gain access to the building.
Social Engineering on LinkedIn and Twitter
- Attackers scan details in profile pages. They use these details for spear phishing, impersonation, and identity theft.
Risks of Social Networking to Corporate Networks
- Data Theft: A social networking site is an information repository accessed by many users, enhancing the risk of information exploitation.
- Involuntary Data Leakage: In the absence of a strong policy, employees may unknowingly post sensitive data about their company on social networking sites.
- Targeted Attacks: Attackers use the information available on social networking sites to perform a targeted attack.
- Network Vulnerability: All social networking sites are subject to flaws and bugs that in turn could cause vulnerabilities in the organization's network.