Thursday, February 12, 2009

Netragard : Facebook from the hackers perspective.

For the past few years we've (Netragard) been using internet based Social Networking tools to hack into our customer's IT Infrastructures. This method of attack has been used by hackers since the conception of Social Networking Websites, but only recently has it caught the attention of the media. As a result of this new exposure we've decided to give people a rare glimpse into Facebook from a hackers perspective.  Credit for designing this specific attack methodology goes to Kevin Finisterre and Josh Valentine both core members of our team. 

Lets start off by talking about the internet and identity. The internet is a shapeless world where identities are not only dynamic but can't ever be verified with certainty. As a result, its easily possible to be one person one moment, then another person the next moment. This is particularly true when using internet based social networking sites like Facebook (and the rest).

Image provided by Michael Painter

Humans have a natural tendency to trust each other. If one human being can provide another human with "something sufficient" then trust is earned. That "something sufficient" can be a face to face meeting but it doesn't always need to be. Roughly 90% of the people that we've targeted and successfully exploited during our social attacks trusted us because they thought we worked for the same company as them.

The setup...

Facebook allows its users to search for other users by keyword. Many facebook users include their place of employment in their profile. Some companies even have facebook groups that only employees or contractors are allowed to become members of. So step one is to perform reconnaissance against those facebook using employees. This can be done with facebook, or with reconnaissance tools like Maltego and

Reconnaissance is the military term for the collection of intelligence about an enemy prior to attacking the enemy. With regards to hacking, reconnaissance can be performed against social targets (facebook, myspace, etc) and technology targets (servers, firewalls, routers, etc). Because our preferred method of attacking employees through facebook is via phishing we normally perform reconnaissance against both vectors.

When setting up for the ideal attack two things are nice to have but only one is required. The first is the discovery of some sort of Cross-site Scripting vulnerability (or something else useful) in our customers website (or one of their servers). The vulnerability is the component that is not required, but is a nice to have (we can set up our own fake server if we need to). The second component is the required component, and that is the discovery of facebook profiles for employees that work for our customer (other social networking sites work just as well).

In one of our recent engagements we performed detailed social and technical reconnaissance. The social reconnaissance enabled us to identify 1402 employees 906 of which used facebook. We didn't read all 906 profiles but we did read around 200 which gave us sufficient information to create a fake employee profile. The technical reconnaissance identified various vulnerabilities one of which was the Cross-site Scripting vulnerability that we usually hope to find. In this case the vulnerability existed in our customer's corporate website.

Cross-site scripting ("XSS") is a kind of computer security vulnerability that is most frequently discovered in websites that do not have sufficient input validation or data validation capabilities. XSS vulnerabilities allow an attacker to inject code into a website that is viewed by other users. This injection can be done sever side by saving the injected code on the server (in a forum, blog, etc) or it can be done client side by injecting the code into a specially crafted URL that can be delivered to a victim.

During our recent engagement we used a client side attack as opposed to a server side attack . We chose the client side attack because it enabled us to select only the users that we are interested in attacking. Server side attacks are not as surgical and usually affect any user who views the compromised server page.

The payload that we created was designed to render a legitimate looking https secured web page that appeared to be a component of our customer's web site. When a victim clicks on the specially crafted link the payload is executed and the fake web page is rendered. In this case our fake web page was an alert that warned users that their accounts may have been compromised and that they should verify their credentials by entering them into the form provided. When the users credentials are entered the form submitted them to and were extracted by an automated tool that we created.

After the payload was created and tested we started the process of building an easy to trust facebook profile. Because most of the targeted employees were male between the ages of 20 and 40 we decided that it would be best to become a very attractive 28 year old female. We found a fitting photograph by searching google images and used that photograph for our fake Facebook profile. We also populated the profile with information about our experiences at work by using combined stories that we collected from real employee facebook profiles.

Upon completion we joined our customer's facebook group. Joining wasn't an issue and our request was approved in a matter of hours. Within twenty minutes of being accepted as group members, legitimate customer employees began requesting our friendship. In addition to inbound requests we made hundreds of outbound requests. Our friends list grew very quickly and included managers, executives, secretaries, interns, and even contractors.

After having collected a few hundred friends, we began chatting. Our conversations were based on work related issues that we were able to collect from legitimate employee profiles. After a period of three days of conversing and sharing links, we posted our specially crafted link to our facebook profile. The title of the link was "Omigawd have you seen this I think we got hacked!" Sure enough, people started clicking on the link and verifying their credentials.

Ironically, the first set of credentials that we got belonged to the person that hired us in the first place. We used those credentials to access the web-vpn which in turn gave us access to the network. As it turns out those credentials also allowed us to access the majority of systems on the network including the Active Directory server, the mainframe, pump control systems, the checkpoint firewall console, etc. It was game over, the Facebook hack worked yet again.

During testing we did evaluate the customer's entire infrastructure, but the results of the evaluation have been left out of this post for clarity. We also provided our customer with a solution that was unique to them to counter the Social Network threat. They've since implemented the solution and have reported on 4 other social penetration attempts since early 2008. The threat that Social Networks bring to the table affects every business and the described method of attack has an extraordinarily high success rate.


  1. In what way can a company effectively protect against this type of attack? I suppose if there are no vulnerabilitys within their web servers then XSS would not be posible. However protecting against employees posting sensative information online could only be done through employee awarness, which is never 100% garanteed to work. Banning social networking sites at the firewall within the company would also lessen the threat.

  2. Eliminating technological vulnerabilities will not protect against this threat. The best way to defend against the threat is to set and enforce a policy that prohibits employees from using their employers name in social networking forums. Policies, policy enforcement, and education are the only really effective defenses against social engineering attacks.

  3. Excellent blog entry - well written, and a well worded insight into one of the most powerful tools in a pen-testers/attackers toolkits today.

    I was just wondering, you mentioned that the target company had been hit 4 other times that year. Do most attackers go to the same level of targetting that you did? You spent a lot of time REALLY getting to know the company so you could properly integrate into the facebook community - and it paid off with a successful intrusion. In your experience do attackers go to this level of detail, or are they mostly generic attacks , e.g. Using a good looking girl and a link to see her "pictures"

    Robert McArdle

  4. Adriel,
    This is good stuff. I posted a request recently regarding social networking apps, specifically facebook. My marketing dept. is considering using facebook to do some advertising and promote business, targeting the 18-35 yr old crowd. I am obviously concerned with the potential risks. I work for a financial institution and i'm not crazy about the idea of encouraging new customers to go to facebook and launch an app that would include information about our company and entice them to open accounts with us. Phishing is the first problem that comes to mind. What of facebook's privacy and protection policies? do they provide any types of controls or because of the site's open nature are we pretty much on our own?
    > thanks for this blog and past ones as well.

  5. No, most penetration testing companies and hackers alike will not test at the level that we'll test at. We specialize in producing a threat that is a few notches higher than what our customers will probably face in the real world. When we deliver our report it contains detailed methods for remediation that if followed will enable our customer to defend against that higher threat level. This in turn means that they will be more than sufficiently secure to defend against their probable threat. They out run the bear while others can't run so fast...

    Having said that, there are hackers that will attack at even higher levels of threat. Those hackers are usually very focused and have a particular in and out goal. Some of them are intent on stealing data while others are intent on extortion, and they usually succeed. The fact is that if a hacker penetrates a bank and people can't figure out how, then he's got the upper hand. If that hacker shows the bank that he has access to all of their customer accounts and then threatens to publish all of the information on the internet if the bank doesn't transfer $10,000,000.00 to an off-shore account, they will transfer the money and keep it hush. Either that, or they suffer serious damages (much more than ten mil) and potentially go out of business.

  6. This is in response to anonymous from 6:26 AM:

    I'd very strongly recommend against the idea of using Facebook for marketing. You'd be opening your customers to an entire world of potential hurt via phishing and other types of attacks. If you did do that, you'd be very much on your own. Remember, facebook is full of hackers like us only we've got ethics and they don't.

  7. It will turn into a management decision to use facebook and social networking sites for marketing purposes. From an advertising perspective there is a tremendous amount of value in using these sites as communication vehicles to reach a large population in a very cost effective way. I have presented my concerns from an information security point of view but I predict I'll be trumped by the marketing folks. Having so many other institutions using this social networking sites with success make it appealing to management...

  8. Thanks a lot for your postings.

    I would like to know more about your embeded links on facebook profile.
    So what it will happen when employees click that link?

    Could you provide the redirected website source?

  9. CEOinIRVINE, why would you want the source? We are not going to enable you to reproduce this attack, we don't know who you are or what your intentions are.

  10. Kudos bro!!!

    I read this post, not only is it one of the most intelligently written one, but you took deep matters and made them simple.

    I am the social engineer in our group... and was intrigued by this wonderful post.

  11. Wow, that is a good amount of detail. Excellent article.

  12. Pay much respect to the fine work put into this article. It describes in detail how this attack was performed, without giving Script-kiddies the oppurtunity to reproduce a similar attack.

    This was a rater large firm, did anybody suspect anything? I respect the right for privacy for the firm, but can you say anything about the type of company? Would expect such large companies to be prepered?

    I really think all persons handling IT-security needs to put down some guidence.

  13. 2 Factor authentication would easily fix this issue. Nothing new to see here. Just another form of dumpster diving.

  14. In response to Wade M, you're incorrect, two factor authentication will not protect you against this sort of attack if the credentials are used in "real time". In fact, we just finished an engagement where this attack was used to enter a network that used two factor authentication. When a user submitted their credentials, we redirected that submission to a tool that authenticated to the network. The attack still works fine, the time window to enter is just a bit restricted. But once you are in you're in.

    That said, two factor authentication is a good step in the right direction because it impacts the usefulness of the stolen credentials that aren't used quickly. So there's a way around that by augmenting the attack. Instead of stealing credentials use facebook to distribute an infected document or PDF file. When the file gets opened by a target employee make sure that the payload is set to connect back to you. Once you get an established connection tunnel back in over that connection and you're in. No credentials required, just social engineering.

    Wade, just out of curiosity, how is this anything like dumpster diving? Are you suggesting that we social engineer dumpsters?

  15. I just read the article. There is a lot of truth in it. I saw all the solutions posted here. Some them might even work, but geared to keep one out. Article emphasized the point on being on the inside of social network. Once inside the network the hacker can be anyone's identity. The hackers real identity, and IP address is submasked and masked through the last 15 backhole servers they came through to get to the network.

  16. I chanced upon to view your blog and found it very interesting as well as very informative, i was need such type information, which you have submitted. I really thankful to you, this posting help a huge number of people. Great ... Keep it up!

  17. Does facebook allow you to violate their tos for the pen test?