FB Dangers

Posted by Daeity On Thursday, November 24, 2011

Continuing on with my thoughts about manipulation and how (many) users don't view Facebook was very useful or reliable, I wanted to demonstrate a practical example of how it can be used and has been used (many times) with great success.

This is also a warning piece about the dangers of employees using Facebook, really any profile site for that matter.

Here's a very good practical example from a completely open (public) Facebook profile:

And remember, this is just one example out of HUNDREDS, if not thousands. I chose this one specifically because it was public, and you can see it for yourself.

While others are saying "Facebook is unreliable for real information!!!" I think that you're beginning to see some of the real possibilities here.

The problem with WOW phishing scammers is that they don't really have any personal details about their targets, so they're left with very generalized phishing lure emails, and they try to email as many people as possible (usually using email addresses datamined from WOW gaming forums.)

But look at the dangers associated with Facebook in this case.

  • You now have detailed personal information about every one of these individuals.
  • You know where they live.
  • You know their profession and where they work.
  • You know their family members and their email addresses too.
  • You have their own personal email address.
  • You know that this is also their Battle.net LOGIN ID.
  • And you know that they're in the Diablo 3 Friends & Family beta.
I don't know about you, but to me that's a tremendous amount of highly useful information for targeted and very convincing phishing scams or trojan horse email attachments. This is the kind of stuff that scammers salivate over.

All of these users just publicly posted a ton of information about themselves and they didn't even care. This is how dangerous Facebook is, and why it is indeed reliable for useful information or leaks.

All over Facebook, Blizzard employees have been handing out F&F Diablo 3 beta invites like candy (typically 15 available each). Even to people they hardly even know. Can you see how easily certain employees could be manipulated, or how anyone with insincere intentions could get an invite too?

Here are some theoretical examples;
  • Pick a group of lesser known Blizzard artists (Concept, Cinematics, Character, Environments, etc) who have Facebook accounts. Start following them on their blog or art forum, compliment them on their new postings, stroke their ego, and do it over a few weeks or months. Once they start getting use to your name/alias, send a FB invite to join them and tell them who you are ("Hey, this is uberfan98 from CGHUB! I love your art, mind if we connect through FB?") It works better before the F&F beta starts of course, but it's still possible get an invite if they haven't burned through them already.
  • This isn't just limited to artists or developers, though, often the support staff or sound engineers are overlooked and they have plenty of extra beta invites available; IT Managers, Customer Service, Recruiting, DBA, Network Administrators, Web Designers, etc.
  • You can also get invites through their blog, Twitter, or other profile. And, the shy or quiet ones will always have a lot of beta invites available (look for ones who blog about their cats.. just sayin'). If their blog is more about themselves, and they don't have any pictures of their family or friends, they'll have a lot available.
  • People who are in a hurry can just randomly send out Facebook invitation requests to random employees to see who bites ("I'm a huge fan! Let's be friends!"). Or, because FB reveals so much about users, it's makes it really easy just to pretend to be an old friend from high school or college ("Hey! I sat behind you in.. uhhh... History, yeah that's right").
  • The problem with pretending to be someone else, though, is that you need to create a backstory for your new internet identity. For example, create a new email address, create a new Battle.net account, and use a different mailing address in your registration. The overly paranoid should also use VPN during all of this. It's very unlikely that your "mark" would every confirm IP information to your location, though, and they would just look at your email address or B.Net account summary.
This is something I've known about for a very long time, and I know for a fact that many people have exploited their "friends" for Beta invites. There are hundreds of profile accounts out there right now, with thousands of F&F beta invites still available. And, once you get your foot in the door, you're more eligible (almost guaranteed) for future beta invites.

Facebook unreliable and not very useful? Right.

Anyone who ever says this is completely oblivious to the dangers of the internet, and they have probably revealed a ton of personal information about themselves publicly. If you were to leave a USB drive labelled "naughty pix" outside their front door, they're the kind of people who would plug it into their work computer to see what's on it (and not even consider the ramifications.)

The internet is not always a nice place, and you would be wise to remove all personal information about yourself from it. This is just one example of why (and why you should never mix your social life with work).