October 01, 2013 — Facebook has announced new changes to the way Graph Search discovers information, including the fact that status updates, photos, check-ins, and comments are now included in search results. This new stream of information offers criminals developing phishing campaigns all-new attack surfaces to exploit.
On Monday, Facebook revealed the latest changes to their Graph Search function, a tool that allows people to search for specific content on the social network. Previously, Graph Search was limited to information on a person’s profile or pages on the site, but now additional information, such as status updates, photos, check-ins, and comments will become discoverable as well. While these features are being touted by the social giant as a good thing, the risk they create is anything but.
This new stream of data offers a potential goldmine for criminals developing phishing campaigns, and for more experienced attackers, because searches can now focus on certain groups of people, from a given area, who are interested in, or have a relation to, a specific business, organization, topic, or hobby. It’s even possible to filter results by time, details from long forgotten comments or posts to see the light of day once again.
The data that is returned for a given search is limited only by the privacy settings on the post itself, or the overall settings by the user or their friends. Unfortunately, many people are still on default settings. As such, their profiles — including posts — are set to be shared to a much wider audience than they may intend.
“Facebook has a long standing tradition of dragging users to share more information — even if they don’t ask,” Trevor Hawthorn, the CTO of ThreatSim, told CSO.
ThreatSim is a company that focuses on spear phishing, and awareness training. Earlier this year, the company released stats for the Verizon Business Data Breach Investigations Report that the success of a given phishing campaign isn’t hard to track, noting that it takes three emails before a target will click on a link or an attachment.
“Running a campaign with just three e-mails gives the attacker a bitter than 50% chance of getting at least one click. Run that campaign twice, and that probability goes up to 80%, and sending 10 e-mails approaches the point where most attackers would be able to slap a ‘guaranteed’ sticker on getting a click,” the Verizon report explains.
Half of the clicks within a given phishing campaign will happen within 12 hours of the first e-mail being sent, but clicks alone do not equate to a successful compromise. However, the more focused the campaign; the overall odds of this happening are stronger. This is why enhanced searching on Facebook could spell trouble, and why organizations and the people in them need to be mindful of protecting what they post.
“Facebook has always been useful for attackers to gather information about a specific target. Facebook Graph turns this on its head and allows an attacker that doesn’t have a specific person in mind to browse and select several targets based on search criteria,” Hawthorn said.
The changes to Graph Search will now allow for the construction of high-quality phishing messages, using specific search criteria, that the target may not realize is available.
“For example, I can now search for ‘Asian Restaurants visited by people who work for the U.S. Department of State’. That produces highly specific results that allows me to choose from a list of targets,” Hawthorn explained
The data located via Graph Search is only as private as your friends [and you yourself] want it to be, Hawthorn added. Even if your details are locked down, check-ins and image tags or post tags still offer more insight than was previously available. When compared with the data from other social services such as LinkedIn, an attacker will now have stronger odds when targeting a person or organization.
“Before Facebook Graph, the attacker would have to dig deeper and infer a lot about a target’s interests, likes and employer. With Facebook Graph it’s easier to search for and find the answers to those questions — from the target himself,” Hawthorn said.