FBstalker Automates Facebook Graph Search Data Mining

FBstalker is a tool that automates queries against Facebook’s Graph Search feature. The tool collects data from users of the social network that can be used by phishers and hackers to gain access to networks.

Facebook’s Graph Search feature connects a lot of dots between friends on the social network—as well as between others who interact with your Facebook friends. Anyone with a keyboard has a nifty data mining tool at their fingertips that can bring up an intricate list of friends and acquaintances, along with their employers, common interests and plenty more that’s not been made private by a Facebook user.

Until now, connecting all of those dots was a manual exercise, but two researchers from Trustwave’s SpiderLabs have built a tool called FBstalker that automates queries through Graph Search. Built as a tool for penetration testers and enterprise IT security teams, FBstalker was released last Thursday. It can quickly, with just a Facebook user name, build a profile of a person’s activity on the social network. Researchers Keith Lee and Jonathan Werrett of SpiderLabs hope that businesses can use it to educate workers and consumers about how much they’re sharing with social networks and how over-sharing could facilitate phishing or lead to more invasive network attacks.

“Using FBstalker can pull back information for phishing campaigns. You get to know close associates, things they’re interested in, places they’ve visited,” Werrett said. “All of this is handy when crafting a phishing email to get a person to load up on a link or an attached payload. Most phishing campaigns are pretty successful without this type of data; they don’t need much of an edge. This kind of information helps an attacker tweak an email just enough to up the success rate.”

Experts were quick to deride Graph Search back in January when it was still in beta trials. In an interview with Threatpost, Christopher Hadnagy of White Hat Defense and founder of Social-Engineer.com said it was a beautiful feature from a social engineer’s point of view.

“I see this as a benefit for social engineers because you’re giving them victims; they’re not guessing anymore. Usually, a phisher or spammer collects a couple hundred email addresses and they’re hoping 10 percent of those who get it have an interest in what the email is about,” Hadnagy said. “With this tool, it gives a malicious person the ability to figure out whom to target with a particular message because they know their interests.”

With FBstalker, a pen-tester or attacker could use the tool to not only map data about a potential target but also gain an understanding of the strength of association between friends which would aid in spoofing email addresses to victims, for example.

“If I post on a friend’s timeline and that timeline is open, FB stalker sees the posts on their timeline. It knows we’re friends, that perhaps I regularly post there, which indicates a strength of association, when the user is active on Facebook, which photos they like or are tagged in” Werrett said. “All of this can give you an indication of when they’re likely to answer an email or an instant message, and given the longitude and latitude of a post, whether they’re potentially awake at that time.”

Trustwave’s Lee built the tool, which allows for straightforward queries to follow a bunch of pre-programmed paths to build a profile.

“It depends on how much the profile is locked down or whether you’re friends with the user. If you’re not friends, it can reverse-engineer things based on your interactions with other people,” Werrett said. “It looks through photos, tags, comments, Likes, and looks at places, companies and other check-ins where you’re included.”

All of that data is pulled into a database that can produce a simple text file report or be exported into Maltego, an open source forensics and intelligence analysis tool that can do further intelligence gathering on a user.

The two researchers discussed FBstalker during the Hack in the Box conference last week in Kuala Lumpur, along with another similar tool called Geostalker, which starts with a physical address and combs social networks such as Twitter, Flickr, Instagram and the Wigle database and returns user accounts from those networks associated with a particular location. Geostalker, Lee and Werrett said, can help pen-testers in testing the physical security and accessibility of a sensitive location.

“We’ve gotten great feedback so far and quite a few people are interested in running it in their environments and are contributing feedback,” Werrett said. “We hope FBstalker is an education tool. All the data is there; we’re not exploiting a vulnerability in Facebook. It just highlights how much information can be pulled from a public source.”

Suggested articles