Social Networks Evil Twin Attacks

Mon, 18 Feb 2008 21:01:42 GMT

What will happen if someone impersonates you on a social network? Will that person be able to fool your friends and as such gain access to resources, which only you are entitled to?... or are social network protected enough to guarantee the credibility of the social participants.

Introduction to Social Networks Evil Twin Attacks

Lets have a look at a social network like LinkedIn. For those of you who don't know what LinkIn is, let me say that it is probably the largest professional social network available today. Once you give information about your place of work and the education centers you used to attend, LinkedIn will try its best to hook you up to everyone else that have been associated with your employer, university, etc. The benefit is obvious: you keep in touch with people who may help you in the future. However, nothing stops someone to register an account on the name of John Dawson, a reputable IT security expert, currently employed by HSBC, Canary Wharf, London. If the evil twin of John Dawson inhabits LinkedIn, how many people will trust that shady persona and as such be fooled into one of the biggest scams? I find this question very interesting and quite fascinating.

The hack here is not technical but rather psychological and definitely of a social nature. Remember, hacking could be considered is the action of outsmarting others and as such it may take any form. Fooling people's believes is an important craft that have been with us since the dawn of humanity, yet we often fail to acknowledge it effectiveness. These are what Evil Twin attack are all about. From WiFi security prospective the evil twin is the rogue access point that pretends to be a friendly network. From the social networks point of view, the evil twin is a hacker or a bot disguising itself as the real person.

Social Networks Evil Twin Attacks work both ways. First, the impersonator will be given the chance to trick the victim's current friends into a trap. Second, he will trick people, who will try to contact the real person along the way, into a trap as well. Therefore, if the evil John Dawson is approached by someone who is looking for work in his sector, he will be in a very comfortable position to gain internal insights of the company of that person as very often people tend to serve any juicy information on the interviewing process.

Social Networks are huge threat whether you realize it or not. The bad guys are not restricted in terms of types of tools for their malicious activities, like whitehats do as this seams to be part of technical eliteness. The bad guys will break into the targeted network by any means necessary. This includes fooling people, laying and cheating on their way towards their goal.

This post is kept fairly light as it is a raw idea which haven't been materialized into any form but nevertheless it is important to be considered, especially today, when we are surrounded by the Social Networks phenomenon. The whole idea about this post is to introduce you to a concept, which you may or may not have already given any thoughts about.

Jim ManicoJim Manico
1) It's very labor intensive to create a linkedIn profile, it will take time before an active profile will gain traction with your friends - giving you a significant chance to spot it - assuming you are already an active user 2) Upon finding that someone is impersonating your identity, contact LinkedIn, possible sending them proof of identity
If you have questions or comments about this privacy policy, please email us at [email protected] or contact us at:

LinkedIn Corporation
Attn: Privacy Policy Issues
2029 Stierlin Court
Mountain View, CA 94043
3) Networks as well as information is mostly porous. These kinds of consumer information issues can only be protected via intrusion detection and/or identity protection. It's to late, your info is out there.
pdppdp
Jim, on your first point, I disagree. It is pretty straight forward. You open an account and then contact people that want to be part of your social network. Second, sending additional information about yourself to a social network which is designed to trade this information with others is pretty bad idea. On your final point, I completely agree. My information is out there and it is quite easy to impersonate me as well as many, many, many others. I am sure that it is extremely easy to impersonate you as well, given the fact that you have a blog.
Jim ManicoJim Manico
On 1) Fair enough on 2) Still disagree; once someone has hijacked your identity, you can contact the owners of LinkedIn to prove your identity and get the offending account removed. You do not need do give them all your biometrics, passport etc. I'm sure a simple license will do. And if you are in a position where you are overly concerned about identity theft - you should get identity theft insurance and monitoring. On 3) Sure, impersonate me, and while you are it please help debug and/or work on some of my code. I also have a few project proposals you can help me work on.... ;-)
agent0x0agent0x0
Good post guys. I agree with pdp that blogging, and social networking use in general will make you vulnerable to impersonation. I believe it depends on how much personal information you give out on these types of networks. In my LinkedIn profile I don't make my profile public, and only allow connections from people I know directly. For me, I feel the career benefit of LinkedIn is worth a bit of risk with my personal information. I have a blog as well but I keep it as anonymous as I can...I guess I am a bit security paranoid and don't like my real name even on my blog. However, I have talked to other bloggers and they will say that to them it's worth the risk to have their real name on their blog. It's all comes down to your own "personal risk assessment". :)
rokoroko
Some weeks ago I was thinking in this "social network" fanatic movement and how people trust (blindy) in the information showed in this kind of website... and I was wondering, what would happen if someone hacks a social network like facebook, linkedin, etc and take control on some (or all) these online profiles. Good article.
ECEC
Great article pdp. Take a look to this paper related to your thinking about social networks. http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_social_networks.pdf Regards. EC
Benjamin JuangBenjamin Juang
Lurker here - I've actually experienced a shadow of this lately. I'm one of the administrators and developers of a facebook application, and someone took my profile picture and changed their facebook name to match mine, and started posting in the application forums. Thankfully, facebook has things set up so that posts by application developers show up in light-green... so no one could have been fooled, unless they weren't aware of the normal light-green system. But it would have been easy for him to go through my friend list, messaging them... Also, what about creating the profile of your victim on a social network before they establish their connections there? Then building off a list of the victim's friends found on one social network, they could connect to the victim's friends on the other social network. (Badly worded, sorry - it's getting late)
pdppdp
Benjamin, exactly. If the attack creates twin profile on a social network where their victim hasn't been registered already, it will be trivially easy to fool the victim's friends on other social networks. EC, let me have a look at that paper... 10x for sharing.
JamesJames
There is some work being done in this arena at Carnegie Mellon University's Heinz School of Management. In particular, see Becker's paper on identity theft via social network profile theft, and Acquisti's papers on identifying social security numbers from Facebook profiles.
Jim ManicoJim Manico
This has nothing to do with social networks - it has to do with the open nature of web and personal information. What is to stop me from posting information about you on a blog? Or setting up an email address that looks like your name? This is similar to the argument "Ajax makes you more insecure" - it's the same web 1.0 transparency of information problem - only faster with Social networks.
pdppdp
The simple fact that social networks make you more connected with your peers and the fact that people use social networks to do business is a significant change which raises some interesting questions, like the one in the article above. As for AJAX, AJAX does introduce some security problems!
jerry shenkjerry shenk
I've been a little slow to get into the "social networks" phenomenon. Privacy has been my main concern but as has been stated...there is SO MUCH information about me out there already, what's the big deal...so I gave in about 2 weeks ago. Listening to the discussion between Jim and pdp, perhaps there is more danger in NOT getting involved. If I am not involved, then an attacker has plenty of time to impersonate me, build trust relationships and "do bad things".
Jim ManicoJim Manico
Ajax does not introduce security problems any more than Web 1.0 introduces security problems. That is, unless of course, you are pushing business logic to the client - which is a no no independent of Ajax. Ajax just introduces more endpoints. The same security web 1.0 implications apply, nothing new.
pdppdp
jerry, I agree. Jim, it does. :) For example, due to AJAX CSRFing JSON calls practically exploded as a preferred attack vector for exploiting AJAX application. Some people know this as JavaScript hijacking but I don't like that name.
Jim ManicoJim Manico
JSON is not specific to AJAX (specifically, asynchronous communication with a web server). It's a very old-school (decade or more) way of representing data in JavaScript. And still, you need to secure your JSON service endpoints the same way you would secure those 1.0 endpoints. Web 1.0 security. CSRF is also very old school, it was called "Session riding" in the past and has been around since the dawn of the dynamic web.
pdppdp
Jim, can we move this discussion to a private channel or maybe even a separate post? It is kind of unrelated to the content and a lot of people will get confused. I do agree on some of your points but maybe I should rephrase my statement a bit to be more accurate. Thanks for the comments.
topplegangertoppleganger
Well what is the craic my people, I am nuts and i thought i would have a look to see if i could pick my victim out. i love it and in the next veiw days you will see your twins