Think twice before you accept that 'friend' request

Human nature leads people to form communities and help each other--and that human nature can be turned against you with a fake social network account.

Have you ever received a request to connect on a social network from somebody you don't know? If you've been using social networks for more than a few weeks, the answer is most likely, "Yes". How you respond to such requests could expand your social network and open new horizons and opportunities for you, or it could expose you, and others connected to you to a malicious social engineering threat. 

What do you do when you receive a request from somebody you don't know? Some people dismiss such requests immediately without a second thought. However, most people do a little digging before determining how to handle the request. People like to be liked, so rather than rejecting this potential new "friend" out of hand, they do some research to find out how they know each other other, or why this unknown person wants to connect with them.

Aamir Lakhani, a counter-intelligence and cyber defense specialist with World Wide Technology, shared details of a recent social engineering experiment in a presentation at the RSA Europe conference. In a staged penetration test, attackers were able to use social networks to build a fake identity and infiltrate an organization--a government agency in the business of cyber security and protecting state secrets.

It wasn't the first such experiment, and it won't be the last. In the scenario Lakhani described, the "attackers" put in some effort to make the fake social profile more credible. The team set up both a Facebook and a LinkedIn profile--both with similar corroborating information. They also used a photo of a local waitress at a restaurant frequented by the employees (with her permission), which was enough to make her sub-consciously recognizable, but not so much that it set off red flags for any of the victims. Finally, the team went out on the Internet to other related sites and forums and posted comments and entries as the fake persona so that any cursory searches of the Web would verify her as real.

In most cases, though, getting someone to accept a request to connect is as simple as being connected with a few other people they know. They might click on the profile to see who this new stranger is, find out that four, or fourteen, or forty other people they're already connected with are also connected with the stranger, and voila! Social network connection request accepted.

That behavior--the idea that someone is deemed "safe" by virtue of having shared connections--creates a quickly escalating snowball effect. At first, one or two people might absent-mindedly accept the suspicious request. Then, a few other people will be wary, but will accept because they see that one or two other people they know are already connected with the stranger. The more people who connect with the fake social network profile, the more "credible" the fake persona becomes, and the more quickly others will be to accept a request to connect. 

Once the attacker has built a network of employees, the fun really begins. Now, the attacker is a "trusted insider", and those in the social network of the fake persona have their guard down. They won't hesitate to share information that wouldn't normally be shared with the general public, and they're much more likely to click on files or URLs shared from the fake social network profile.

An attacker can build a fake persona, and infiltrate an organization, and then lay low indefinitely. The longer the fake persona exists, the more credible and trusted it will seem. It takes on a life of its own, and it's there--ready to be triggered--whenever the attacker chooses.

It's nice to feel liked, and it's nice to want to befriend and help others. But, as a rule, you should really only accept requests to connect on social networks from people you actually know--not just people you think you may know or have something loosely in common with based on their social network profile or who your mutual "friends" are.

Copyright © 2013 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022