What do HBGary, RSA, and Apple have in common? They were all victims of a social-engineering attack. There is a common saying in the InfoSec community that the most vulnerable portion of a network is between the monitor and the chair.
Due to advancements in vulnerability detection and mitigation techniques, hacking is straying from exploiting a firewall or an Internet-facing server to breaching the perimeter of network. Instead, hackers are leveraging trust rather than specific exploits and attacking the user.
Unfortunately, the only answers for humans are awareness, training, and knowledge. Vendors are reluctant to attempt to fend off attack vectors that may be based around social-engineering. For example, Facebook has had two vulnerabilities disclosed to them that involved spoofing what the target user was experiencing in an attempt to lure them into clicking a link.
The first vulnerability was discovered by the BlackhatAcademy, an Internet-based hacker think tank. When a user posts a URL to their timeline or news feed, Facebook grabs a thumbnail of the image and displays a preview. However, when a user clicks the link, they are redirected to another, potentially malicious, page.
If a user clicks the link in the image above, they would not see the picture that is previewed; instead, they would be redirected to any site the attacker chooses. Facebook’s response was that they “were aware of the content forgery technique” and that they had “protection systems” in place, however, this vulnerability is still reproducible.
The second vulnerability involves Facebook’s messaging system. It is possible to send a message to anybody as anybody. A social-engineer could utilize this vulnerability to send an employee of a company a URL and create the illusion that his supervisor sent the message. The possibilities are endless. Facebook’s response to disclosure of the vulnerability is that it’s an “intentional feature” and they have “controls in place to monitor and mitigate abuse.”
To utilize the vulnerability, the attacker only needs to know the Facebook sign-in e-mail address of the person he wants to send the message as and spoof it as demonstrated below:
The easiest way to spoof an e-mail is to utilize sendmail and TrustedSec’s Social-Engineer Toolkit (SET).
First, select option 1, Social-Engineering Attacks.
Next, select option 5, Mass Mailer Attack. Then, tell SET to start sendmail and select option 1, E-Mail Attack Single E-Mail Address.
Next, go to the Facebook profile of the user you want to send the fake message to. Isolate the username from the URL. For example, in the image below, the URL is www.facebook.com/kirk.durbin, so, my Facebook e-mail would be email@example.com.
Specify that you would like to use your own server, enter the e-mail address of the person you want to send the message from using the e-mail address they sign in to Facebook with, specify to use HTML and write your message.
Press CTRL+C when you are finished writing the message and you’re ready to send. In the image below, you will see a message sent from a co-worker to my Facebook account. Facebook’s protection controls specify that they were unable to verify the sender and that the message was sent from the e-mail address of the user.
Facebook’s reaction to the disclosure is not uncommon. Service providers do not typically consider the actions of its users as their liability; instead, it is the setting that the service is being used. It is up to the employer to ensure that their employees know what to look for in phishing and social-engineering attacks. User awareness, training, and knowledge are the only security patches available for the human element.
Have you been a victim of this kind of attack? Do you think Facebook is doing enough to protect its users from this obvious vulnerability? Let us know in the comments.