How Hackers Use Social Engineering to Get Passwords on Facebook

We’ve all seen them on Facebook, maybe even done them ourselves: viral social media quizzes. Perhaps it was about the top 10 concerts you’ve attended or a dozen fun facts people might not know about you. Innocent though they may seem, these social media quizzes can put you in the crosshairs for attackers, both physical and cyber. They are a prime example of over-sharing sensitive data online, which has grown rampant with the advent of social media.

In this post, we’re shining on the light on this ubiquitous issue for two reasons: it's one of the most prevalent and most preventable risks on social media.

Over-sharing not limited to viral quizzes or trends. Posting publicly about vacations, family, personally identifiable information (PII), or your physical location can, in some cases, put you at risk. Most people know not to post pictures of their credit cards or disclose sensitive login of financial information, but a surprising number of people post their phone numbers, home address and more on social media. After all, the networks encourage users to fill out every possible field on their profile, including some of the more sensitive ones.

Attackers can use this data in three main ways:

Bruteforcing passwords

Hackers look for any information that they could use to guess passwords. Oftentimes, it doesn’t take much. The most commonly used password in 2020 was “123456,” followed by “123456789.” Attackers can simply try the first 25 most common passwords and succeed a whopping 50% of the time. Passwords are often only marginally more complex than that; a dog’s name or a street name paired with “123.” Attackers use automated tools to test combinations of keywords -- things you might have happily disclosed in you social profile -- to rapidly guess thousands of combinations of passwords.

Hackers also use data gleaned through over-sharing to guess security questions and break into accounts that way. Security questions are often things like the name of your first pet, the street where you grew up, your highschool mascot, your favorite author or you childhood hero. They sound strikingly like viral social media quiz questions, don’t they?

Social engineering attacks

Any information you posts on social media can also be used by an hacker as they craft a social engineering attack. Armed with your personal information, an attacker is well-equipped to customize a message for you that looks legitimate. For example, if a hacker knows you’ve been to a Radiohead concert, the message, “did you see Radiohead’s newest song? Just dropped today!” will have a much higher chance of success. Attackers drive users to phishing pages and malware exploits with this tactic. The message will be even more effective if it’s coming from a fake account impersonating someone you know, or, better yet, the real account of a connection after it’s been hijacked. For an attacker, these are both added benefits.

Physical theft

People love to post photos of their vacation. If an attacker knows where you live -- a surprisingly easy thing to figure out in the social media age, especially if you list it on your profile, enable geolocation of your posts or have ever posted photos from in or around your house -- they will have all the information they need to break in and take whatever they want. We suggest waiting until you are home to post and intentionally using language to imply you are not abroad.

We’re not advocating you stop posting on social media altogether. Rather, be careful what you share, and take a second to think about the potential consequences before shouting that information into the public forum of social media.

ZeroFox recommends the following to stay safe on social media:

• Be careful with social media quizzes, and only answer the questions you feel comfortable with. If an answer relates to a passwords or security question, do not post it. Our advice? Don’t fill them out at all.
• Do not disclose any sensitive information in your profile bio, even if the network encourages you complete it. This includes phone number, address, birthday and more.
• Be careful of what is in an image before you post. Can you see your credit card on the table? Is your address or street sign visible in the back?
• Beware of scams, such as coupons and promotions distributed through sites other than the official retailer.
• Scam websites often lack SSL (or TLS) web site certificates, which is standard for almost every website, especially those asking for credentials or credit card info. This has long been a method by which consumers can be assured that the site is legitimate and safe as demonstrated by the “https” designation and many browser not display that in green. If the site doesn’t have an SSL/TLS web site certificate and is not encrypting your information, it’s probably not safe to trust that site.
• Ensure two-factor authentication is enabled on your social media accounts when available. This provides yet another barrier of protection should a malicious page steal your credentials. Many social networks can now require a code be sent to your phone or via email when they detect a new browser or device attempting to access your account.
• Beware of links on social media. Hover over them to get a preview and look closely for impersonator URLs and characters meant to look like others. When in doubt, copy the link into a free analysis tool like VirusTotal.
• If anyone or anything prompts you to download and install an app or file, stay clear. Mobile apps should only be downloaded from curated app stores such as the Apple App Store or Google Play, any other apps should be not be trusted.
• Ensure that your anti-virus and anti-malware is kept up-to-date on your device, whether it’s a PC, Mac, or mobile device.
• Curate who you follow. Following suspicious accounts increases your chances of being exposed to social media scams, and even benign accounts can be hijacked by or sold to scammers.
• Even if a verified connection sends you something suspicious, don’t click, as their account could have been hacked. Contact them through another channel to verify if the message is legitimate.
• Beware of brand impersonations. Unless it has the blue verified checkmark, do not click anything that accounts posts as it is likely an impersonations of the real profile.
• Above, all be careful what you click on social media! If it looks suspicious, it probably is.

While we think of social media as all fun and games (and quizzes), with that comes inherent risk to brands and individuals. From fake accounts, offensive content and account hacking, it's important for businesses to recognize the real security risks presented by social media and protect themselves accordingly. Learn more about ZeroFox's Social Media Security offering here.