Using Facebook to Steal Company Data

Wednesday, April 07, 2010

Robert Siciliano

37d5f81e2277051bc17116221040d51c

Robert Siciliano Identity Theft Expert

There is a reason why computer users are called “users.” Like crack addicts who are drug users, more is never enough. And when under the influence, people do stupid things. I find myself scanning the Dell catalog like it’s the latest (or any) Victoria Secrets catalog. I’m amazed at how many people I know are online all day long and digitally stoned. The bad guy knows you are obsessed and uses this against you. He sees that you are comfortably numb here. He understands that in the virtual world you’re delirious and more apt to respond to his message then log your credentials.

Steve Stasiukonis is vice president and founder of Secure Network Technologies Inc. and publishes to Dark Reading tested his clients network using a bogus identity, and joined the companies Facebook site and started mining the names and email addresses of individuals who identified themselves as employees.

As he collected a database of names for a penetration test in the phish, he secured a domain name similar to that of his client. This domain name took on the appearance of a human resources or benefits portal. When he emailed the employees as “human resources,” they were redirected to a Web page, such as https://www.xyzcompany-benefits.com.

He has been able to accumulate significant numbers of emails for phishing targets from Facebook and other social networking sites. When he launched his companie’s Facebook spear-phishing attack, he usually got an average response rate of 45 to 50 percent. So nearly half of the employees responded to an email with the logins and passwords they use on their employers’ network.

Steve says:

– Officially sponsor the social networking site and assign an administrator who is responsible for permitting employees to join. This will help control somebody infiltrating the site for devious purposes.

– Establish a social networking policy. If your employees are participating in social networking sites (company sponsored or not) make sure company policies dictate what is and is not permissible. For example, divulging your corporate email account on social networking sites should not be permitted.

– Last but not least, if employees feel the need to gather and converse about their day-to-day work, personal lives, and hobbies, consider a corporate intranet. Maybe someday social networking vendors will launch a product that will provide the same features and benefits, but with the security tools needed to keep employees and company secrets safe. But in the meantime, it’s up to you.

Sober up and protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Facebook Hackers on CNN

Possibly Related Articles:
8858
Privacy
Facebook Identity Theft Privacy
Post Rating I Like this!
A762974cfbb0a2faea96f364d653cbc6
Michael Menefee Robert,

I can certainly attest to the necessity of organizations taking active participation in the Social Media aspects of their data security policies.

We recently had a client that had customer and partner blogs (that they knew about) that gave us enough information to walk right into several of their locations and plug directly into their network.

We used this information to simply empathize with known issues to establish a baseline of trust...

Ignoring the problem wont make it go away... I agree with Steve...organizations need to take control of their Social Media assets and manage it like the rest of their data
1270676459
37d5f81e2277051bc17116221040d51c
Robert Siciliano Agreed Michael. Thanks for the feedback.
1270690659
Fd0dd3200ae49f5cdabc124b87df3872
hamza karmani i have found a fake facebook page like the orignal redirect you to your index page like
you have been login a real facebook site

thanks for the feedback
1270776242
Default-avatar
Michael Kinder In reference to the last point in the article "Maybe someday social networking vendors will launch a product that will provide the same features and benefits, but with the security tools needed to keep employees and company secrets safe."

A vendor has done this. Check out IBMs Connections - it is corporate, secure, Social Networking.
1273784996
37d5f81e2277051bc17116221040d51c
Robert Siciliano Excellent Michael, thanks for the tip.
1273785196
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.