Facebook Graph Search Mines Potentially Rich Data for Phishers, Attackers

Facebook is serious about its new Graph Search feature, which helps users of the social media site narrowly search for friends with common interests in a much more intuitive fashion than a Google search, for example. Founder Mark Zuckerberg had tagged Graph Search the third Facebook pillar, right alongside the site’s news feed and timeline. So why are security and privacy experts nervous? There’s some serious horsepower behind Graph Search, and there are users whose interests aren’t as benign as finding friends of friends in a particular location who happen to like country music, fine wine and yoga.

Facebook securityFacebook is serious about its new Graph Search feature, which helps users of the social media site narrowly search for friends with common interests in a much more intuitive fashion than a Google search, for example. Founder Mark Zuckerberg had tagged Graph Search the third Facebook pillar, right alongside the site’s news feed and timeline. So why are security and privacy experts nervous? There’s some serious horsepower behind Graph Search, and there are users whose interests aren’t as benign as finding friends of friends in a particular location who happen to like country music, fine wine and yoga.

“This is basically a beautiful feature coming from a social engineering point of view,” said Christopher Hadnagy, owner of White Hat Defense and founder of social-engineer.com. “I see this as a benefit for social engineers because you’re giving them victims; they’re not guessing anymore. Usually, a phisher or spammer collects a couple hundred email addresses and they’re hoping 10 percent of those who get it have an interest in what the email is about. With this tool, it gives a malicious person the ability to figure out whom to target with a particular message because they know their interests.”

Graph Search is in beta right now; Facebook users can sign up for access to the beta and requests are usually fulfilled within a week. Once it’s rolled out in full force, phishers and spammers may have one more tool to refine their target lists. A sample search by Threatpost for engineers who work at Apple Computer returned several dozen results of people who indicated on their profiles they worked at Apple. An attacker can take that initial list and refine searches further as they choose.

“Think about the implications if you’re an attacker targeting a Fortune 500 company,” Hadnagy said. “You can take that list, refine it and find out people who like to eat here, or have a particular hobby and perform multiple attacks against a company by refining the victim list and develop phishing, phone or other attacks based on the interests of those people.”

Facebook representative Fred Wolens had no comment when asked by Threatpost about the concerns of experts and whether the implications on phishing and spam attacks were considered during development of the feature. He did confirm that users will have no way to opt out of search.

“But you can influence what others can see about you by controlling with whom and what you share with on Facebook—including profile information, posts, and photos,” Wolens said. “For photos or posts of you that have been uploaded by others, you can ask that they be removed from Facebook entirely, or you can untag yourself.”

Wolens said the decision to refine search capabilities to such a degree was based on user feedback that they expect a better search experience on Facebook.

“People put so much into Facebook, but until now there have been very limited ways to access this information,” Wolens said. “Graph Search allows you to select the content you want to view on Facebook.”

Lance Spitzner, a SANS Institute instructor and security training and awareness specialist, concurs that Graph Search has limitless potential for phishers and even possibly nation state attackers who target particular individuals and organizations. The key is for users to understand the implications of sharing particular personal information on any social media outlet.

“In general, most people are good. They do not think about that small population of bad people who want to hurt them,” Spitzner said. “In addition they do not realize just how much information they are posting. They only post little bits at a time. Each bit by itself is not harmful, but when put together you have the completed puzzle. If people understood the entire puzzle, and the bad guys who will take advantage of that information, I think their attitude would change. It really comes down to awareness, or lack thereof.”

Compounding the risk is that fact that Facebook—and other social media—act as authentication into other online services. Peoples’ inherent trust in the platform leads them to share more personal data and further enrich the environment for cybercriminals mining information on victims.

“This is another arrow in the quiver. Is it a better or worse arrow, I’m not sure yet,” Hadnagy said. “Facebook has millions of users and people are adamant about putting lives on Facebook; pictures, checking in from different locations, etc. When looking at the quantity of people doing that, and you add a tool that allows them to search that data for anything, this is one of the better arrows in the quiver.”

Facebook’s Wolens said all new features go through a “rigorous” code review process; engineers upon being hired go through six weeks of boot camp training that includes privacy and security. Products have to pass muster with product security, security engineering and other internal Facebook development teams, Wolens said, as well as third-party penetration testers. The same, he said, goes for privacy.

“Products are built with privacy in mind from the ground up, and Graph Search went through our rigorous privacy review process, just like every new product or feature that we launch,” Wolens said. “This process includes our Privacy (incl. CPOs), Legal, Security and numerous other departments. Graph Search respects all existing [user] privacy settings.”

Hadnagy, meanwhile, suggests that users use some critical thinking when they’re posting personal information to Facebook.

“This is how bad guys get to you and hack you,” Hadnagy said. “Is it Facebook’s fault? Partly, but they’re just feeding the desire people have. Users need to be educated to the dangers of these things.”

Suggested articles